Hi,
In Auth0 I have configured:
A Custom API with 18 permissions.
A Next.js client that calls the API.
A SPA Auth0 application with an “enterprise connection” to an Okta OIDC IdP.
An enterprise connection to an Okta OIDC IdP.
The Okta OIDC application.
Login succeeds but the token exchange does not include my custom scopes/permissions in the access token.
OIDC connection in Auth0:
Okta scopes:
This is the access token sent to the API:
{
"iss": "https://bookend-mvp-staging.us.auth0.com/",
"sub": "oidc|Bookend-Okta-OIDC-SSO|00uezee7dbLsmw0kB5d7",
"aud": [
"https://control-plane-pwuhwxrqnq-uc.a.run.app",
"https://bookend-mvp-staging.us.auth0.com/userinfo"
],
"iat": 1715053960,
"exp": 1715140360,
"scope": "openid profile email",
"org_id": "org_pOdZ283uSzKQpddI",
"azp": "PmuiEJVHdJVj3xaAqn4z0HCOXDhbbqyU",
"permissions": []
}
I have assigned the permission to the user:
How do I get my custom scopes/permissions into the access token sent from Okta?
I see the authorize request does include the custom scopes:
https://dev-11895766.okta.com/oauth2/default/v1/authorize?client_id=0oag2l3qnrCNVqJDs5d7&scope=datasets%3Aread%20datasets%3Ascan%20datasets%3Awrite%20email%20models%3Adelete%20models%3Aread%20models%3Awrite%20openid%20profile&response_type=code&redirect_uri=https%3A%2F%2Fbookend-mvp-staging.us.auth0.com%2Flogin%2Fcallback&login_hint=darren%40bookend.ai&response_mode=query&code_challenge=...&code_challenge_method=S256&state=...
1 Like
tyf
May 7, 2024, 9:42pm
4
Hey @darrenk !
I see that there’s an org_id
in the access token shared, are the permissions assigned directly to the user or by way of an organization? The following post explains the difference well and why you aren’t seeing any permissions in the permissions
claim:
Hi @PatrickHeneise
Thanks for reaching out to the Auth0 Community!
My apologies for not getting back to you sooner. And yes, normally topics are automatically closed after 15 days from the last reply.
Now, after my investigation, I found that there were no issues with getting the permissions added to the access token when authenticating with Organizations.
I believe what happened involved the user only being assigned to those Permissions globally on their user profile (non-organization), in…
1 Like
That was the problem.
I added the role to the user at the organization level (in Auth0) and it is working now.
The scopes in the IdP (Okta) were not needed.
Thanks for your help!
-Darren
1 Like
tyf
May 7, 2024, 9:48pm
6
Ah, great! Thanks for confirming
system
Closed
May 21, 2024, 9:49pm
7
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.