Cannot get authorization (roles, permissions) data in user data

Help
, , , ,
1

Hello, I’m trying to get an account’s roles and permissions then add them to idToken as custom claims. But it seems like I missed something or misconfigured so authorization extension doesn’t work as I expected. Please help

What I’ve done:

  1. Create an API named ‘New API’. A machine-to-machine app was also created automatically after this step.

  2. Define scopes of New API, including ‘read:data’, ‘create:data’, ‘delete:data’.

    35%20PM
    35%20PM996×759 63.1 KB

  3. Install authorization extension.

  4. Create permissions with names exactly same as scope names in step 2

    33%20PM
    33%20PM1107×527 40.9 KB

  5. Create role ‘New API Manager’ with all 3 permissions created in step 4.

    01%20PM
    01%20PM640×559 19.5 KB

  6. Create a group named ‘KMS’.

  7. Add an user to role ‘New API manager’ and group ‘KMS’

  8. In Authorization configuration, enable token contents ‘groups’, ‘roles’, ‘permissions’. Then Publish Rule

    16%20PM
    16%20PM1075×656 51.3 KB

  9. Add new rule with following code:

    function (user, context, callback) {
    const namespace = ‘https://new-api.com/’;
    context.idToken[namespace + ‘permissions’] = user.permissions;
    context.idToken[namespace + ‘groups’] = user.groups;
    console.log(user);
    callback(null, user, context);
    }

  10. When I try to login with the user in step 7, I check the rule log in ‘Debug rule’, and here’s the information. The question is why am I only receiving ‘groups’, while ‘roles’ and ‘permissions’ fields are empty arrays

    49%20PM
    49%20PM307×684 44 KB

Here’s the user I logged in

49%20PM
49%20PM874×456 23.9 KB

Here’s the idToken payload
25%20PM

1 Like
2

Hey there @huyennbl!

I’ve managed to reproduce what you wanted to achieve step by step. It seems like you’ve chosen the wrong application when setting up roles and permissions which I also confirmed using our internal admin tools. Here’s the doc reference:

Looking at this doc: “The roles that you will create will depend on the access to certain permissions in your application”

You also need to take care of the fact that you need to initiate the login flow from the same application.

Let me know if that work for you!

4

Thanks for your support, I’m not sure what you mean by ‘chosen wrong application’ because I have only 1 option.
I tried removed all the app, api, roles settings, then do it again, and now it works.

5

okok glad to hear that! Thought you have multiple apps set for testing purposes and that you’ve just not chosen the right one.

Stoked it worked for you in the end!

6

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.