Auth0 RBAC: nodejs using express-jwt-authz

vinood.persad · December 10, 2022, 3:21am

Hi community, looking for some assistance on Auth0 RBAC with nodejs.
I have configured RBAC on Auth0, angular frontend and nodejs backend. The nodejs backend uses express-jwt-authz. When i print out the token and go to jwt.io i can see everything is as it should be however the server is returning 403 forbidden on my route. Permissions are sent as read:employees and is configured exactly the same in the code as you can see before.

I have placed the node js code along with an example token of what the server is seeing:

const express = require(‘express’);
const router = express.Router();
const { expressjwt: jwt } = require(‘express-jwt’);
const jwks = require(‘jwks-rsa’);
const jwtAuthz = require(“express-jwt-authz”);

const authorizeAuth0Token = jwt({
secret: jwks.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: ${process.env.AUT0_DOMAIN}.well-known/jwks.json
}),
audience: process.env.AUT0_AUDIENCE,
issuer: process.env.AUT0_DOMAIN,
algorithms: [‘RS256’]
});

const checkAuthPermissions = jwtAuthz([‘read:employees’], {
customScopeKey: “permissions”
});

router.get(‘/employees’,authorizeAuth0Token, checkAuthPermissions, (req, res) => {
res.status(200).json({‘test’:‘this api call is good’})
});

Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImdRUjNLdHFheWpGc2Z6Y05qUGFKSSJ9.eyJpc3MiOiJodHRwczovL2Rldi1ibGE1Z3Q0aGh5M2Rwd3Y2LnVzLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw2MzhiOWQwMjg3NzlhMDBlNTI2YTU0NWMiLCJhdWQiOlsiaHR0cHM6Ly9taXRhc2svYXBpIiwiaHR0cHM6Ly9kZXYtYmxhNWd0NGhoeTNkcHd2Ni51cy5hdXRoMC5jb20vdXNlcmluZm8iXSwiaWF0IjoxNjcwNjQxNDEwLCJleHAiOjE2NzA2NDUwMTAsImF6cCI6IkF2SWt4U0lqTUxleU9PVjNQMkdlNFBFRXJpdkRxU2hlIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInBlcm1pc3Npb25zIjpbInJlYWQ6ZW1wbG95ZWVzIl19.fYXSVJa4CSPt_UCIXJM9e6MPOD2xyx1KgogCeVVF0Mwo0YD68Qex7iUUU3O60gMGdMrh7x6B73qAakl-tS-gLH_bVVM3PHWf4v_fSSRbju2IIeLEHkTAAMRc6qk8jNzqiB725etGEJlmZDYipU9ryfHl11FnFFjX8kYDW4lBCbKOxdLcmHSZpJppsQ6QU0eFNLCp2_PKUqGx6waofVZ6_IpBS3b4LHfVjQkzsyGdWOFtLIRIoSnciaqkDMpT-FxydWGfp7EeP5eUaBk8n3RvZ22VMNLkkVxZPUDTmFM6wZMhu22kpy1F_h5DmfaKz6A5WYP22mLouecQtw7fYZltjw

ty.frith · December 12, 2022, 10:01pm

Hey there @vinood.persad!

Hmm that’s interesting you’re getting a 403 here - Are there any clues in the error logging as to why?

While I haven’t used express-jwt-authz myself, I was able to get this working using the updated express-oauth2-jwt-bearer library to achieve what you are after. My code looks like this:

const cors = require("cors");
const morgan = require("morgan");
const helmet = require("helmet");
const authConfig = require("./src/auth_config.json");

const express = require('express');
const { auth, requiredScopes, claimEquals, claimIncludes } = require('express-oauth2-jwt-bearer');
require('dotenv').config(); // Load the .env variables

const appPort = process.env.SERVER_PORT || 3000;
const appOrigin = authConfig.appOrigin || `http://localhost:${appPort}`;

const app = express();
const checkJwt = auth();
app.use(morgan("dev"));
app.use(helmet());
app.use(cors({ origin: appOrigin }));

//using claimIncludes to check if the permissions claim contains read:msg
app.get('/api/external', checkJwt, claimIncludes('permissions', 'read:msg'), (req, res) => {
  res.json({ message: `Hello ${req.auth.payload.sub} - Permissions: ${req.auth.payload.permissions}` });
});

app.listen(3001, () => console.log('listening at http://localhost:3001'))

I’m using this alongside our React sample to test, you can find my fork here.

Depending on where you are at in your project, it might be worth switching over to the improved experience - Some more on that here:

Hope this helps!

vinood.persad · December 22, 2022, 1:43pm

Thanks so much for the reply and the help. And also thanks for the example snippet provided. I took a look at the blog you provided and I do believe this will definitly fix my issue. I am yet to perform a test of this as its been a little busy with end of year, however I will be testing this solution within the coming days. i will confirm this helps as soon as I am done testing.

ty.frith · December 22, 2022, 11:37pm

No problem, happy to help! Please keep us posted here on the results if you can

vinood.persad · December 23, 2022, 3:23pm

Works like a charm. Thanks for the help much appreciated! enjoy the holidays!

ty.frith · December 23, 2022, 11:26pm

Great to know and thanks for following up here Happy holidays!

Topic		Replies	Views
Problem Insufficient scope with node Js and lib express-authz Get Help scopes , permissions	3	3082	June 12, 2023
Express API - 403 (Forbidden) when trying to use permissions Get Help	1	3330	February 17, 2020
Which backend library to use and should i use "permissions" or. "scope" field role/permission validation on our backend? Get Help permissions , node-auth0	0	2741	January 24, 2022
appSession token comes to server instead of jwt token Get Help node-auth0 , sdks-quickstarts	0	1584	January 25, 2023
How to "Protect a route based on specific claims" for "Standard Web Application" (NodeJS/Express) and Get Help auth0 , roles , rbac	4	3609	March 17, 2022

Auth0 RBAC: nodejs using express-jwt-authz

Related topics