Auth0 Home Blog Docs

Authorization Extension Not Adding Permissions, Roles nor Groups to Ticket or Profile

authorization-extens
#1

Trying to get a simple scenario configured using the Authorization Extension and I can’t seem to find the correct combination to permission values attached to the user in either access_token or the app_meta data properties. The default rule configured from the extension’s dashboard get’s added to my tenant fine but when I test it against my WAAD instance it is always blank. I enabled extensions API was able to confirm /api/users/{userid}/roles was correct.

#2

Hi @eric.williams,

We had similar problems with the authz extension. In hindsight, I would have avoided storing perms in app_metadata and used the authz extension API instead. We found copying the perms to the user’s profile was occasionally flakey, and of course the rule is only trigger on login so authorization changes aren’t reflected in the profile until the user’s next login.

#3

To be clear, the access_token also is missing the permissions. In the getPolicy call back logging the data object always returns empty groups, roles and permissions

console.log('data:', data);

data: { groups: [], roles: [], permissions: [] }

#5

Hey there @eric.williams, I apologize for the delay. It looks like you have an open support ticket now on this front. To focus effort I’ll have our internal support team take charge on this matter, however once they devise of a solution I will be sure to share it here as well. Please let me know if there are any additional questions I can relay, thanks!

#6

For historical record reference and after confirming with the technician, the resolution on this ended up being when using an OIDC login flow you have to add the roles/perms as a custom claim in a separate rule that runs after the authorization extension rule. The extension can only add the roles to the token when the application is a non-oidc conformant app.

closed #7

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.