I am developing a web application API with multiple clients, and I’m having trouble with the Authorization extension. When I try to log in with one Client ID (let’s call it “A”), I receive all the groups/roles/permissions correctly. With the second client ID, “B”, roles/permissions are empty but I do receive groups. I am using the following call:
POST https://sencorsoft.eu.webtask.io/{{webtask_id}}/api/users/testuser/policy/B
(body {"connectionName": "test"}
)
I have Auth0 configured as follows:
- Client A is a single-page-application with only the “Implicit” grant type allowed.
- Client B is a non-interactive client with only the “Password” grant type allowed.
- Both clients are OIDC conformant and use RS256, with nothing else configured.
- There is one API without scopes, which has authorized non-interactive Client B. As far as I can tell, I cannot explicitly authorize Client A. This API is set as the default audience.
- The user
testuser
(this is actuallyauth0|12315523etc
) is registered and has both roles and permissions. As far as I can tell, I cannot couple users to specific clients, so the user should be able to log in to both clients. - An enabled rule performs the above policy call to the extension, extracts the groups, roles and permissions and puts them in the access token.
I have tried:
- Enabling the “Password” grant on A. The roles/permissions are present in the policy call.
- Making a new client C that is an exact copy of Client A (= single page application) with the “Password” grant enabled. The roles/permissions are empty.
I ran out of ideas what I could try to further diagnose the issue. What’s going wrong here? Is there a setting somewhere that makes the Authorization Extension only work for one client ID?