Hi,
A Custom API with 18 permissions.
A Next.js client that calls the API.
A SPA Auth0 application with an “enterprise connection” to an Okta OIDC IdP.
An enterprise connection to an Okta OIDC IdP.
The Okta OIDC application.
Login succeeds but the token exchange does not include my custom scopes/permissions in the access token.
OIDC connection in Auth0:
Okta scopes:
This is the access token sent to the API:
{
"iss": "https://bookend-mvp-staging.us.auth0.com/",
"sub": "oidc|Bookend-Okta-OIDC-SSO|00uezee7dbLsmw0kB5d7",
"aud": [
"https://control-plane-pwuhwxrqnq-uc.a.run.app",
"https://bookend-mvp-staging.us.auth0.com/userinfo"
],
"iat": 1715053960,
"exp": 1715140360,
"scope": "openid profile email",
"org_id": "org_pOdZ283uSzKQpddI",
"azp": "PmuiEJVHdJVj3xaAqn4z0HCOXDhbbqyU",
"permissions": []
}
I have assigned the permission to the user:
How do I get my custom scopes/permissions into the access token sent from Okta?
I see the authorize request does include the custom scopes:
https://dev-11895766.okta.com/oauth2/default/v1/authorize?client_id=0oag2l3qnrCNVqJDs5d7&scope=datasets%3Aread%20datasets%3Ascan%20datasets%3Awrite%20email%20models%3Adelete%20models%3Aread%20models%3Awrite%20openid%20profile&response_type=code&redirect_uri=https%3A%2F%2Fbookend-mvp-staging.us.auth0.com%2Flogin%2Fcallback&login_hint=darren%40bookend.ai&response_mode=query&code_challenge=...&code_challenge_method=S256&state=...
1 Like
tyf
May 7, 2024, 9:42pm
4
Hey @darrenk !
I see that there’s an org_id in the access token shared, are the permissions assigned directly to the user or by way of an organization? The following post explains the difference well and why you aren’t seeing any permissions in the permissions claim:
Hi @PatrickHeneise
Thanks for reaching out to the Auth0 Community!
My apologies for not getting back to you sooner. And yes, normally topics are automatically closed after 15 days from the last reply.
Now, after my investigation, I found that there were no issues with getting the permissions added to the access token when authenticating with Organizations.
I believe what happened involved the user only being assigned to those Permissions globally on their user profile (non-organization), in…
1 Like
That was the problem.
The scopes in the IdP (Okta) were not needed.
Thanks for your help!
1 Like
tyf
May 7, 2024, 9:48pm
6
Ah, great! Thanks for confirming
