I am making a frontend that consumes an API protected by Auth0. I have successfully implemented a public path and a private (login protected) path for my API.
Now I would like to implement RBAC for my test user and for this I have observed the steps described in the how-to, namely:
Register the API
Define permissions
Create roles
Assign roles/permissions to my test user
Then finally I enabled the RBAC on my API as per this documentation. Now when I go check in my backend the access token payload I received from Auth0, I don’t have a permissions field for the user. Rather I am getting this:
PS: Technically my backend is a python serverless lambda infrastructure with a custom authorizer, my front-end is a plain html, css, javascript (no React, Vue, Express, Angular…), and the library I am using to authenticate is lock (https://cdn.auth0.com/js/lock/11.4.0/lock.min.js).
Can you confirm that you toggled on the Add Permissions in the Access Token setting and saved afterwards? I just tested this to confirm, and you should just have to add the custom API as the audience, add the permission to the role, and the role to the user, then you should get an access token with the respective permissions.
Also, the aud claim is typically the identifier uri of your API, it looks like you may have used the id.
Thank you for pointing me to the actual problem: yes when I instanciated auth0Lock I did not indicate the audience , so indeed, where was auth0 going to get the permissions from?!
This said and FYI, when I looked at the lock configuration doc it indicates that the audience parameter belongs to the auth object, however, while I did this it did not work. I had to find this forum post and set the audience field under the params property of the auth object to get my RBAC. This is not documented. Is the documentation wrong? Is my use case rare?
In any case, thank you very much, this was a life saver!