Auth0 RBAC: nodejs using express-jwt-authz

Hi community, looking for some assistance on Auth0 RBAC with nodejs.
I have configured RBAC on Auth0, angular frontend and nodejs backend. The nodejs backend uses express-jwt-authz. When i print out the token and go to jwt.io i can see everything is as it should be however the server is returning 403 forbidden on my route. Permissions are sent as read:employees and is configured exactly the same in the code as you can see before.

I have placed the node js code along with an example token of what the server is seeing:

const express = require(‘express’);
const router = express.Router();
const { expressjwt: jwt } = require(‘express-jwt’);
const jwks = require(‘jwks-rsa’);
const jwtAuthz = require(“express-jwt-authz”);

const authorizeAuth0Token = jwt({
secret: jwks.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: ${process.env.AUT0_DOMAIN}.well-known/jwks.json
}),
audience: process.env.AUT0_AUDIENCE,
issuer: process.env.AUT0_DOMAIN,
algorithms: [‘RS256’]
});

const checkAuthPermissions = jwtAuthz([‘read:employees’], {
customScopeKey: “permissions”
});

router.get(‘/employees’,authorizeAuth0Token, checkAuthPermissions, (req, res) => {
res.status(200).json({‘test’:‘this api call is good’})
});

Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImdRUjNLdHFheWpGc2Z6Y05qUGFKSSJ9.eyJpc3MiOiJodHRwczovL2Rldi1ibGE1Z3Q0aGh5M2Rwd3Y2LnVzLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw2MzhiOWQwMjg3NzlhMDBlNTI2YTU0NWMiLCJhdWQiOlsiaHR0cHM6Ly9taXRhc2svYXBpIiwiaHR0cHM6Ly9kZXYtYmxhNWd0NGhoeTNkcHd2Ni51cy5hdXRoMC5jb20vdXNlcmluZm8iXSwiaWF0IjoxNjcwNjQxNDEwLCJleHAiOjE2NzA2NDUwMTAsImF6cCI6IkF2SWt4U0lqTUxleU9PVjNQMkdlNFBFRXJpdkRxU2hlIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInBlcm1pc3Npb25zIjpbInJlYWQ6ZW1wbG95ZWVzIl19.fYXSVJa4CSPt_UCIXJM9e6MPOD2xyx1KgogCeVVF0Mwo0YD68Qex7iUUU3O60gMGdMrh7x6B73qAakl-tS-gLH_bVVM3PHWf4v_fSSRbju2IIeLEHkTAAMRc6qk8jNzqiB725etGEJlmZDYipU9ryfHl11FnFFjX8kYDW4lBCbKOxdLcmHSZpJppsQ6QU0eFNLCp2_PKUqGx6waofVZ6_IpBS3b4LHfVjQkzsyGdWOFtLIRIoSnciaqkDMpT-FxydWGfp7EeP5eUaBk8n3RvZ22VMNLkkVxZPUDTmFM6wZMhu22kpy1F_h5DmfaKz6A5WYP22mLouecQtw7fYZltjw

Hey there @vinood.persad!

Hmm that’s interesting you’re getting a 403 here - Are there any clues in the error logging as to why?

While I haven’t used express-jwt-authz myself, I was able to get this working using the updated express-oauth2-jwt-bearer library to achieve what you are after. My code looks like this:

const cors = require("cors");
const morgan = require("morgan");
const helmet = require("helmet");
const authConfig = require("./src/auth_config.json");

const express = require('express');
const { auth, requiredScopes, claimEquals, claimIncludes } = require('express-oauth2-jwt-bearer');
require('dotenv').config(); // Load the .env variables

const appPort = process.env.SERVER_PORT || 3000;
const appOrigin = authConfig.appOrigin || `http://localhost:${appPort}`;

const app = express();
const checkJwt = auth();
app.use(morgan("dev"));
app.use(helmet());
app.use(cors({ origin: appOrigin }));

//using claimIncludes to check if the permissions claim contains read:msg
app.get('/api/external', checkJwt, claimIncludes('permissions', 'read:msg'), (req, res) => {
  res.json({ message: `Hello ${req.auth.payload.sub} - Permissions: ${req.auth.payload.permissions}` });
});

app.listen(3001, () => console.log('listening at http://localhost:3001'))

I’m using this alongside our React sample to test, you can find my fork here.

Depending on where you are at in your project, it might be worth switching over to the improved experience - Some more on that here:

Hope this helps!

Thanks so much for the reply and the help. And also thanks for the example snippet provided. I took a look at the blog you provided and I do believe this will definitly fix my issue. I am yet to perform a test of this as its been a little busy with end of year, however I will be testing this solution within the coming days. i will confirm this helps as soon as I am done testing.

1 Like

No problem, happy to help! Please keep us posted here on the results if you can :smile:

Works like a charm. Thanks for the help much appreciated! enjoy the holidays!

1 Like

Great to know and thanks for following up here :smile: Happy holidays!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.