Can't get RBAC permissions from the access token payload

martin5 · March 19, 2020, 9:02pm

Hi,

I am making a frontend that consumes an API protected by Auth0. I have successfully implemented a public path and a private (login protected) path for my API.

Now I would like to implement RBAC for my test user and for this I have observed the steps described in the how-to, namely:

Register the API
Define permissions
Create roles
Assign roles/permissions to my test user

Then finally I enabled the RBAC on my API as per this documentation. Now when I go check in my backend the access token payload I received from Auth0, I don’t have a permissions field for the user. Rather I am getting this:

{
  "nickname": "martin5",
  "name": "<obfuscated>",
  "picture": "https://s.gravatar.com/avatar/ec45dae5c1d74e935fc50f3ca22d5aae?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fma.png",
  "updated_at": "2020-03-19T19:37:28.735Z",
  "email": "<obfuscated>",
  "email_verified": true,
  "iss": "https://<obfuscated>.eu.auth0.com/",
  "sub": "auth0|5dbc8ddb33c5e20d81912e99",
  "aud": "PyNVW4rk2eBKt10tnD3J8APuVfUZ4nO3",
  "iat": 1584646648,
  "exp": 1584682648,
  "at_hash": "Dbn7HuZXHkBnovI9pHWMkg",
  "nonce": "PEUnxeuDPo0Znj2e7XNDU5sYvmTaX_0D"
}

What have I missed out?

Thanks!

Martin

PS: Technically my backend is a python serverless lambda infrastructure with a custom authorizer, my front-end is a plain html, css, javascript (no React, Vue, Express, Angular…), and the library I am using to authenticate is lock (https://cdn.auth0.com/js/lock/11.4.0/lock.min.js).

dan.woda · March 20, 2020, 9:04pm

Hi @martin5,

Welcome to the Community!

Can you confirm that you toggled on the Add Permissions in the Access Token setting and saved afterwards? I just tested this to confirm, and you should just have to add the custom API as the audience, add the permission to the role, and the role to the user, then you should get an access token with the respective permissions.

Also, the aud claim is typically the identifier uri of your API, it looks like you may have used the id.

Let me know if either of those solve it,
Dan

martin5 · March 21, 2020, 12:17am

Hi Dan,

Thank you for pointing me to the actual problem: yes when I instanciated auth0Lock I did not indicate the audience , so indeed, where was auth0 going to get the permissions from?!

This said and FYI, when I looked at the lock configuration doc it indicates that the audience parameter belongs to the auth object, however, while I did this it did not work. I had to find this forum post and set the audience field under the params property of the auth object to get my RBAC. This is not documented. Is the documentation wrong? Is my use case rare?

In any case, thank you very much, this was a life saver!

Martin

dan.woda · March 25, 2020, 5:43pm

Thanks for the follow up! Can you post an example so I can see what you mean?

Thanks,
Dan

martin5 · April 1, 2020, 5:33pm

Hi @dan.woda,

I just had contradicting information and the unofficial information is the one that worked for me.

on Lock Configuration Options I have:

var options = {
  auth: {
    audience: 'https://YOUR_DOMAIN/userinfo',
  }
}

whereas on Audience with embedded Lock as Popup - #3 by zatziky I used the following signature that worked instead of the one above:

const lock = new Auth0Lock(clientId, domain, {
    oidcConformant: true,
    autoclose: true, 
    auth: {
      sso: false,
      responseType: 'token id_token',
      redirectUri: process.env.AUTH0_REDIRECT_URI,
      params: {
        audience: 'https://my-api.io'
      }
    }
  })

Best

dan.woda · April 3, 2020, 9:32pm

Interesting, thanks for following up with that. I’ll pass the info along!

christopherbailey160 · April 6, 2020, 7:01am

Adding additional data to Access Tokens in Auth0 isn’t as difficult as their documentation would have you believe.

dan.woda · April 21, 2020, 7:11am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.