Auth0 Home Blog Docs

Authorization Extension group mapping not working



Hi, I am trying to use the Authorization Extension. I have API access enabled and full read permissions set up for my Auth0 client, no problems there.

The problem is behavior. Group mappings do not seem to be working. Here is my setup:

  • [group] SuperAdmins
  • [group] Admins, with role R, and with a mapping set to include SuperAdmins
  • [role] R, with permissions P1 and P2
  • [permission] P1
  • [permission] P2
  • [user] Alice, who is a member of SuperAdmins

With this setup I expect Alice’s calculated groups to include both Admins and SuperAdmin. But the endpoint only returns the latter:

GET .../api/users/auth0|alice/groups/calculate
response body:  {
  _id: '...',
  name: 'superadmins',
  description: 'Super Admins' } ]

The Admins group also does not show up in the Authorization Extension user interface. What am I doing wrong?


Group mappings are intended to automatically map group information coming from an external source/connection.

For example, if you have configured an Active Directory or Custom Database connection that returns as part of the user profile a groups property containing group information about the user at the connection source and you want to map those groups to groups managed by the Authorization extension then you should configure the mappings.

If you want to include groups within groups than you take a look at the Nested Groups section instead of Group Mappings.