Getting groups description in profile


I have successfully integrated Auth0 into my WebApp the only thing I’m missing is getting the user’s group description in the profile in my client App so I can display the description and not only the ids.

In the Auth0 Authorization Extension configuration I have enabled the “Add groups to the user Token” option (imaged attached)
alt text

and in my account configuration I have seen that a rules for auth0-authorization-extension has been created and there I can see that data.groups is added to user.groups:

// Update the user object.
  user.groups = data.groups;

  return callback(null, user, context);

  // Get the policy for the user.
  function getPolicy(user, context, cb) {{
  url: EXTENSION_URL + "/api/users/" + user.user_id + "/policy/" + context.clientID,
  headers: {
  "x-api-key": "fb9f7f87c8bacd4844b1d1bbc7854ff3b736f28e4678f96f4d5c4ba35100eb49"
  json: {
  connectionName: context.connection || user.identities[0].connection,
  groups: user.groups
  timeout: 5000
  }, cb);

On the profile I’m getting the groups as a list of strings in three different variables (app_metadata, groups and authorisation):

u’app_metadata’: {u’authorization’: {u’roles’: ], u’groups’: [mygroup’]}}

u’groups’: [mygroup’]

u’authorization’: {u’roles’: ], u’groups’: [mygroup’]}

Does anyone knows how to configure the rule (I guess there where its done), to able to receive the group description in the profile? And if possible how to avoid to receive the information three times.

Thanks in advance,

Role descriptions are not directly available in the authorization extension rule. To access the descriptions you need to activate first the API access to the authorization extension:

Once enabled you can use the endpoint /api/users/{id}/roles to retrieve the role descriptions.

Hi Santiago,

Thanks for the quick answer. I understand I can access this information through the endpoint, calling the API directly. I have enabled the API access to authorisation extension but when I tried to execute a call to the endpoint I have a problem passing the access token in the headers. This is the code I’m using that works perfectly for authenticating and getting the access_token.

def callback_handling():
    code = request.args.get('code')
    get_token = GetToken('')
    auth0_users = Users('')
    token = get_token.authorization_code('myappid',
                                         'myappsecret', code, 'http://localhost/callback')
    print token
    user_info = auth0_users.userinfo(token'access_token'])
    session'profile'] = json.loads(user_info)

    # Get groups
    headers = {
    'content-type': "application/json",
    'authorization': "Bearer "+token'access_token']
    print "@@", headers
    conn = http.client.HTTPSConnection("")
    conn.request("GET", "/adf6e2f2b84784b57522e3b19dfc9201/api/users/"+session'profile']'user_id']+"/groups", headers=headers)
    res = conn.getresponse()
    data =
    print data.decode("utf-8")


I can see the header I’m sending is like:

{'content-type': 'application/json', 'authorization': u'Bearer GDHDNTMiMJUarKIC'}

But I’m still getting this error on the API call:

{"statusCode":401,"error":"Unauthorized","message":"Invalid token format","attributes":{"error":"Invalid token format"}}

Any idea why I’m getting this error? The access token I’m getting from the Python Auth0 SDK should be valid for the API right?

I also have doubts about the API URL, this I got from the Authorisation Exception API configuration page, but Im not sure if is the one I should call.

Thanks in advance for the help

Im confused, does the Authorisation Extension creates a different API? Do I have to do the Authorisation Flow for this new API? I tried to call the Auth0-Authz API once enabled with the access_token I got from the Authentication Flow from my Web App and it didn’t work (code in answer below).

Could you explain how should I call the Authorisation Extension API from the Server side of my Python Flask Web App?

Thanks in advance for the help!

How are you obtaining the Bearer token to invoke the Authentication Extension API?

I suggest you follow first these steps to verify you can access the Auth Extension API after enabling it:

  1. Go to Dashboard => APIs. You should see there a new API named auth0-authorization-extension-api with the audience urn:auth0-authz-api. Click there.
  2. Go to the tab Non Interactive Clients
  3. Enable the clients from the list (it should be your web-application or otherwise a newly created non-interactive client for this purpose).
  4. Expand the client and select the scope: read:groups.
  5. Click UPDATE to save the allowed scopes in your client.
  6. Go to the tab test
  7. In the dropdown from the top, select the client which you enabled access (step 3)
  8. Execute the example request to /oauth/token. This will give you a Bearer token to invoke the auth extension API.
  9. Follow the indications from Sending the token to the API using the previous token and the url http://{YOUR_AUTH_EXTENSION_API_URL}/api/roles

Where the value of YOUR_AUTH_EXTENSION_API_URL is specified in the Authentication extension itself
(from the previous post I guess it should be like this: https://YOUR_AUTH0_DOMAIN/adf6e2f2b84784b57522e3b19dfc9201/api/roles

You should be able to see the roles now. If so, then you need to do the same in your application: execute a client_credentials grant flow with the settings from the previously configured non-interactive client and with the audience urn:auth0-authz-api.

As you can see this is a different token than the one you were using and this is why it did not work.

1 Like