Auth0 Home Blog Docs

authorization extension token



I am trying to get a token (access_token) with user groups/roles/permissions that I have created on authorization extension. I am using SPA with
Username-Password-Authentication database. I added the extension, create the groups/roles/permissions, enable the rule configuration and when I am testing it through Auth0 (tricky part is clientID as Auth0 by default puts the global ClientID and not your application’s one) , I am getting the following.
“groups”: " Administrator Group" ],
“roles”: “Administrator”],
“permissions”: “read:message”, “write:message”],

this is the desired information but I could not take it as part of the token in any way.
I have read almost everything from community’s Q&A but I don’t have see any solution except to create a custom rule with namespace as a key. (I really don’t like this option)


I’m afraid that the recommended approach is to indeed use custom namespaced claims as those are the ones that are supported in OIDC conformant endpoints. The direct use of the names groups, roles and permissions in claims was (is for those who still have to use it) available in the legacy authentication endpoints which are no longer recommended even if you have them available and that will be deprecated in the future.

As an additional note, the reason for the namespace is to safeguard any possible future conflict with standard claims that may be adopted and besides the increased verbosity provide mostly the same functionality.


Hi jmangelo,
thank you for your quick response. In the project that I am working on I am trying to to make an authentication get an access_token with roles/groups/permissions in order to show each user the appropriate views/actions. As I told you I using SPA based on Angular 5. When I decode the token (with jwtHelper) I get an object that I have to parse in order to store it and do the appropriate actions (build menu, show hide actions … etc) .
Also during application browsing (change page , sections and other custom actions) token would be checked in order to ensure that user is valid and has the appropriate permissions.
At the end , in each request the token would be send back in server in order to be validated and make the desired action.

  1. is this approach correct?
  2. can you suggest any tutorial/example
  3. I wrote that I don’t like to use namespace because when I decode the token I have to use it as a key in order to get the desired values. I don’t have seen anywhere something like that.
  4. /tokeninfo endpoint provides the desired results. is this depreciated ?