Calling the authorization extension API from a rule

Mark06 · February 20, 2018, 7:41pm

I want to call the authorization extension API from a rule in order to obtain the full group details for a user (ie. including the groups description)

I took the code from the rule that’s generated by the extension, and made a new rule that executes the following query:

  // Get the groups for the user.
  function getUserGroups(user, context, cb) {
    request.get({
      url: EXTENSION_URL + "/api/users/" + user.user_id + "/groups",
      headers: {
        "x-api-key": "94ec..."
      },
      timeout: 5000
    }, cb);
  }

But the request fails with a missing authentication error:

12:35:41 PM: 180220/113541.054, [log,error] data: Request: GET /api/users/auth0%7C5968d1...7c6feca7/groups
12:35:41 PM: 180220/113541.055, [log,error] data: Response: {
  "data": null,
  "isBoom": true,
  "isServer": false,
  "output": {
    "statusCode": 401,
    "payload": {
      "statusCode": 401,
      "error": "Unauthorized",
      "message": "Missing authentication"
    },
    "headers": {
      "WWW-Authenticate": "Token"
    }
  }
}

Should the x-api-key token also work for this endpoint, or do I need to make a request to /oauth/token to get my own access_token each time?

richard.dowinton · March 2, 2018, 2:13pm

You need to use a bearer token that contains the necessary scopes.

To retrieve such a token, you’ll first need to create a non-interactive client and grant it access to the Authorization extension API by going to the APIs section, clicking the auth0-authorization-extension-api API and then authorizing it under the Non Interactive Clients tab. This is more or less the same process as retrieving a token for the management API.

You can then request the token like so using the client ID and secret of your non-interactive client:

curl --request POST \
  --url https://your-tenant.auth0.com/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"...","client_secret":"...","audience":"urn:auth0-authz-api","grant_type":"client_credentials"}'

With this token, you will need to specify it in the Authorization header rather than use the x-api-key header when you make the request, e.g.:

...
headers: {
    "Authorization": "Bearer <token>"
}
...

system · March 3, 2018, 2:13pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Topic		Replies	Views
group members authorization extension Help authorization-extens , extension , authorization , group	2	4161	March 2, 2018
GET group members API broken Help authorization-extens , group-members	6	3288	August 21, 2020
auth0-authorization-extension rule only provides groups, not roles or permissions Help authorization-extens	4	4110	September 3, 2019
authorization extension token Help authorization-extens	3	4046	March 2, 2018
Group Id verification in backend API Help access-token , groups	1	2357	April 11, 2022

Calling the authorization extension API from a rule

Related topics