Problem Statement
Authorization core and Extension permissions are not updated in the profile. How do I manually trigger a sync to update? I logged out and logged in several times, but they are not getting updated.
Solution
Please be noted that Authorization Core and Authorization extension, cannot live together. Making use of both of them at the same time is not supported.
So, here we have two options:
-
Move directly to Authorization Core, removing the authorization extension to avoid that it overrides the Authorization Core. This would be a good approach, considering Authorization core is the future of both extensions, as the Authorization extension will be removed in the future (however, there is no EOL yet).
-
Considering that based on the documentation, what istio needs in their access policies is the permissions claims among other things if you could make it with the Authorization extension to add those namespaced claims, then it should work:
The Authorization Core capabilities in Auth0 give you a nice way of ending up with a permissions claim in the access token, telling the API what the user can do (based on roles, direct permissions assignments, and what not). Then, on Istio, the authorization policy says “look in the permissions claim for this particular value to allow access”.
The Authorization Extension gives you a different set of tools to work with roles/groups and to calculate permissions that can end up in a claim. You’ll need a rule to put the user permissions in a token and tell Istio where to find those permissions. But, other than that, it should work.
Regarding the access policies, it looks like this is important to have the claims related to permissions, so other option would be to test by adding the claims as it is explained in the post I have shared above.
rules:
- when:
- key: request.auth.claims[permissions]
values: ["read:book-reviews"]