Auth0 RBAC: nodejs using express-jwt-authz

vinood.persad · December 10, 2022, 3:21am

Hi community, looking for some assistance on Auth0 RBAC with nodejs.
I have configured RBAC on Auth0, angular frontend and nodejs backend. The nodejs backend uses express-jwt-authz. When i print out the token and go to jwt.io i can see everything is as it should be however the server is returning 403 forbidden on my route. Permissions are sent as read:employees and is configured exactly the same in the code as you can see before.

I have placed the node js code along with an example token of what the server is seeing:

const express = require(‘express’);
const router = express.Router();
const { expressjwt: jwt } = require(‘express-jwt’);
const jwks = require(‘jwks-rsa’);
const jwtAuthz = require(“express-jwt-authz”);

const authorizeAuth0Token = jwt({
secret: jwks.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: ${process.env.AUT0_DOMAIN}.well-known/jwks.json
}),
audience: process.env.AUT0_AUDIENCE,
issuer: process.env.AUT0_DOMAIN,
algorithms: [‘RS256’]
});

const checkAuthPermissions = jwtAuthz([‘read:employees’], {
customScopeKey: “permissions”
});

router.get(‘/employees’,authorizeAuth0Token, checkAuthPermissions, (req, res) => {
res.status(200).json({‘test’:‘this api call is good’})
});

Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImdRUjNLdHFheWpGc2Z6Y05qUGFKSSJ9.eyJpc3MiOiJodHRwczovL2Rldi1ibGE1Z3Q0aGh5M2Rwd3Y2LnVzLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw2MzhiOWQwMjg3NzlhMDBlNTI2YTU0NWMiLCJhdWQiOlsiaHR0cHM6Ly9taXRhc2svYXBpIiwiaHR0cHM6Ly9kZXYtYmxhNWd0NGhoeTNkcHd2Ni51cy5hdXRoMC5jb20vdXNlcmluZm8iXSwiaWF0IjoxNjcwNjQxNDEwLCJleHAiOjE2NzA2NDUwMTAsImF6cCI6IkF2SWt4U0lqTUxleU9PVjNQMkdlNFBFRXJpdkRxU2hlIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInBlcm1pc3Npb25zIjpbInJlYWQ6ZW1wbG95ZWVzIl19.fYXSVJa4CSPt_UCIXJM9e6MPOD2xyx1KgogCeVVF0Mwo0YD68Qex7iUUU3O60gMGdMrh7x6B73qAakl-tS-gLH_bVVM3PHWf4v_fSSRbju2IIeLEHkTAAMRc6qk8jNzqiB725etGEJlmZDYipU9ryfHl11FnFFjX8kYDW4lBCbKOxdLcmHSZpJppsQ6QU0eFNLCp2_PKUqGx6waofVZ6_IpBS3b4LHfVjQkzsyGdWOFtLIRIoSnciaqkDMpT-FxydWGfp7EeP5eUaBk8n3RvZ22VMNLkkVxZPUDTmFM6wZMhu22kpy1F_h5DmfaKz6A5WYP22mLouecQtw7fYZltjw

tyf · December 12, 2022, 10:01pm

Hey there @vinood.persad!

Hmm that’s interesting you’re getting a 403 here - Are there any clues in the error logging as to why?

While I haven’t used express-jwt-authz myself, I was able to get this working using the updated express-oauth2-jwt-bearer library to achieve what you are after. My code looks like this:

const cors = require("cors");
const morgan = require("morgan");
const helmet = require("helmet");
const authConfig = require("./src/auth_config.json");

const express = require('express');
const { auth, requiredScopes, claimEquals, claimIncludes } = require('express-oauth2-jwt-bearer');
require('dotenv').config(); // Load the .env variables

const appPort = process.env.SERVER_PORT || 3000;
const appOrigin = authConfig.appOrigin || `http://localhost:${appPort}`;

const app = express();
const checkJwt = auth();
app.use(morgan("dev"));
app.use(helmet());
app.use(cors({ origin: appOrigin }));

//using claimIncludes to check if the permissions claim contains read:msg
app.get('/api/external', checkJwt, claimIncludes('permissions', 'read:msg'), (req, res) => {
  res.json({ message: `Hello ${req.auth.payload.sub} - Permissions: ${req.auth.payload.permissions}` });
});

app.listen(3001, () => console.log('listening at http://localhost:3001'))

I’m using this alongside our React sample to test, you can find my fork here.

Depending on where you are at in your project, it might be worth switching over to the improved experience - Some more on that here:

Hope this helps!

vinood.persad · December 22, 2022, 1:43pm

Thanks so much for the reply and the help. And also thanks for the example snippet provided. I took a look at the blog you provided and I do believe this will definitly fix my issue. I am yet to perform a test of this as its been a little busy with end of year, however I will be testing this solution within the coming days. i will confirm this helps as soon as I am done testing.

tyf · December 22, 2022, 11:37pm

No problem, happy to help! Please keep us posted here on the results if you can

vinood.persad · December 23, 2022, 3:23pm

Works like a charm. Thanks for the help much appreciated! enjoy the holidays!

tyf · December 23, 2022, 11:26pm

Great to know and thanks for following up here Happy holidays!

system · January 6, 2023, 11:26pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Express API - 403 (Forbidden) when trying to use permissions Help	1	3286	February 17, 2020
How retrive user's role in NodeJS/ExpressJS using the Auth0's Core Authorization Feature Set Help	1	3336	September 21, 2020
Nodejs express auth0 unauthorized 401 Help	0	3008	February 11, 2022
Which backend library to use and should i use "permissions" or. "scope" field role/permission validation on our backend? Help permissions , node-auth0	0	2699	January 24, 2022
Get AccessToken to authorize API Help nodejs , access_token , api-authorization	5	2773	September 30, 2021

Auth0 RBAC: nodejs using express-jwt-authz

Related topics