I have gone through the tutorial on how to setup the auth0-delegated-admin extension.
I have updated a user´s metadata to include an administrative role as described.
However I get the following error when logging in to retrieve a list of users:
Oh snap! An error occurred while loading the users list: Cannot perform action. Missing scope read:users
And in console I get:
Failed to load resource: the server responded with a status of 403 (Forbidden)
Is anyone familiar with this error? I saw that someone posted a similar question last summer but never seems to have gotten an answer.
I ran into this issue too (and found this post) but ended up resolving it.
For me, it was a matter of getting the id token role claim right.
The documentation is a little misleading, it says stuff about legacy/non-compliant but that’s only if you export using user.role, the other way is to namespace it into context.idToken with a URL, then you don’t need the legacy setting.
Your custom claim must start with “https:” and end with “auth0-delegated-admin” (this is defined in the source code of the extension).
My problem was that I had:
const namespace = 'https://sso.example.org/claims/'; // use your own domain
if (someCondition) {
context.idToken[`${namespace}auth0-delegated-admin`] = ['Delegated Admin - Operator'];
}
when I really needed:
const namespace = 'https://sso.example.org/claims/'; // use your own domain
if (someCondition) {
context.idToken[`${namespace}auth0-delegated-admin`] = { roles: ['Delegated Admin - Operator'] };
}