Auth0 Home Blog Docs

Authorization extension - Roles/permissions are empty

roles
authorization-extens
permissions
grant-types

#1

I am developing a web application API with multiple clients, and I’m having trouble with the Authorization extension. When I try to log in with one Client ID (let’s call it “A”), I receive all the groups/roles/permissions correctly. With the second client ID, “B”, roles/permissions are empty but I do receive groups. I am using the following call:

POST https://sencorsoft.eu.webtask.io/{{webtask_id}}/api/users/testuser/policy/B (body {"connectionName": "test"})

I have Auth0 configured as follows:

  • Client A is a single-page-application with only the “Implicit” grant type allowed.
  • Client B is a non-interactive client with only the “Password” grant type allowed.
  • Both clients are OIDC conformant and use RS256, with nothing else configured.
  • There is one API without scopes, which has authorized non-interactive Client B. As far as I can tell, I cannot explicitly authorize Client A. This API is set as the default audience.
  • The user testuser (this is actually auth0|12315523etc) is registered and has both roles and permissions. As far as I can tell, I cannot couple users to specific clients, so the user should be able to log in to both clients.
  • An enabled rule performs the above policy call to the extension, extracts the groups, roles and permissions and puts them in the access token.

I have tried:

  • Enabling the “Password” grant on A. The roles/permissions are present in the policy call.
  • Making a new client C that is an exact copy of Client A (= single page application) with the “Password” grant enabled. The roles/permissions are empty.

I ran out of ideas what I could try to further diagnose the issue. What’s going wrong here? Is there a setting somewhere that makes the Authorization Extension only work for one client ID?


#2

Solved by support. Currently, roles and permissions need to be created for each Client. If you have a non-interactive client, it does not show up in the list.

So what you do is this.

  1. Change the non-interactive client to a regular web application
  2. Create the roles and permissions you need (you can use the same name as you’re using for other clients, so that the roles match up)
  3. Change the client back to a non-interactive client
  4. Receive all roles and permissions on login

#3

Hey @sencorsoft , how do you specify which client you are creating roles and permissions for in the authorization extension? I have several clients, and don’t see an option to select one…


#4

You can select it in the dropdown if you have multiple clients.
I made a screencap: https://imgur.com/QAK4DE6


#5

Addition to my previous post: non-interactive clients are now called “Machine to Machine” clients, and their type can no longer be changed. You also can’t add permissions for M2M clients directly.

To circumvent this in the Authorization Extension, you can edit the HTML of the “Application” dropdown to include the client ID of a M2M client. You can then submit the form and still save permissions.

Unfortunately, it really is a hack. Would be great to have this supported as a standard feature.