Empty "permissions" claim in M2M token

Hi,

I have created an API and added scopes/permissions to it and allowed a machine-to-machine app to access it with all the permissions enabled. When I am trying to fetch the access_token via postman, the token I receive contains an empty permissions claim.

Both M2M and the API application is setup with all the required permissions.

Why does it return a token with an empty permissions list?

Hi @kvirk,

Thanks for reaching out to the Auth0 Community!

If you’re looking to include the “permissions” claim in your access token, there’s a specific API setting (Auth0 Dashboard > Applications > APIs > Your API) you will need to enable. Specifically, it is the Add Permission in the Access Token toggle.

First, please refer to the screenshot below that shows the toggle you need to enable:

Once this feature has been enabled, you can see the assigned permissions when decoding the access token.

Please let me know if you have any additional questions.

Thanks,
Rueben

Hi,

That’s where it gets confusing. The RBAC is set up exactly as per the screenshot you have shared from the very beginning. This does add permissions claim to access_token but that is empty.

Can you please help debug this?

Thanks,

Hi @kvirk,

Thank you for your response and clarification.

Could you please share with me the exact code you used to make a request to get an access token via Postman and send it to me as a direct message?

I would like to double-check the configuration settings of your API to deduce if it’s the origin of the issue.

Thanks,
Rueben

Hi Rueben,

I have shared the details with you via DM, please check and help me debug this, as I don’t know if this is a bug in Auth0.

Thanks,

1 Like

Hey @kvirk,

Thank you for sending me your code snippet through direct messages.

I have just responded to your DM on the next steps to getting this working.

Once we have reached a solution, I will follow up on this thread to share it with the rest of the Community.

Thanks,
Rueben

Hi Rueben,

Is it possible to debug as we want our Apps and APIs in the same tenant and can’t have a separate tenant just to create role/permission based auth?

Thanks,
Kunal

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.