Auth0 Home Blog Docs

Auth0 delegated admin

delegated-admin
#1

I have gone through the tutorial on how to setup the auth0-delegated-admin extension.
I have updated a user´s metadata to include an administrative role as described.
However I get the following error when logging in to retrieve a list of users:

Oh snap! An error occurred while loading the users list: Cannot perform action. Missing scope read:users

And in console I get:
Failed to load resource: the server responded with a status of 403 (Forbidden)

Is anyone familiar with this error? I saw that someone posted a similar question last summer but never seems to have gotten an answer.

Best regards
-A

#2

I ran into this issue too (and found this post) but ended up resolving it.

For me, it was a matter of getting the id token role claim right.

The documentation is a little misleading, it says stuff about legacy/non-compliant but that’s only if you export using user.role, the other way is to namespace it into context.idToken with a URL, then you don’t need the legacy setting.

Your custom claim must start with “https:” and end with “auth0-delegated-admin” (this is defined in the source code of the extension).

My problem was that I had:

const namespace = 'https://sso.example.org/claims/'; // use your own domain
if (someCondition) {
   context.idToken[`${namespace}auth0-delegated-admin`] = ['Delegated Admin - Operator'];
}

when I really needed:

const namespace = 'https://sso.example.org/claims/'; // use your own domain
if (someCondition) {
   context.idToken[`${namespace}auth0-delegated-admin`] = { roles: ['Delegated Admin - Operator'] };
}

Now it works!

#3

Thanks a lot for sharing that @emsearcy! Have you had a chance to see that @arnaringig?

closed #4

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.