How to Add Permissions from Roles to Access Token

My Setup
I have an API with many different permissions associated with it. Additionally, I have several user roles created that combine multiple permissions into meaningful groups. And, by extension, users have roles assigned to them based on the access they should need for our app.

The Problem
I have RBAC enabled on my API and I am able to get the permissions claim added to the token, however, it does not include permissions that are included in the role assigned to the user. I assumed that any permissions granted to the user through a role would be added here, but that’s not the case.

The Question
How can I add these permissions from the user’s role(s) to the access token so that they are available in my SPA?

Thanks in advance!

Hi @hunter.heavener,

Thanks for reaching out to the Auth0 Community!

After my investigation, I can confirm that you have correctly configured your API with RBAC and enabled the Add Permissions in the Access Token toggle. I also found that your users were correctly assigned to Permissions.

Now, when I try to reproduce the issue on my side, I did not find the same observations. I managed to get the permissions claim with the assigned permissions added to the access token every time by starting the request with something like the following:

https://YOUR_DOMAIN/authorize?
    response_type=code&
    client_id=YOUR_CLIENT_ID&
    redirect_uri=https://YOUR_APP/callback&
    scope={scope}
    audience={apiAudience}&
    state={state}

Given that, could you please capture a HAR file of the authentication events and DM it to me to investigate further?

And if possible, could you please create a test user for me and DM me the credentials to test the authentication flow of your application?

Thanks,
Rueben

Hey @rueben.tiow, thank you for looking into this for me. I’m just seeing your reply and I am going to test this in Postman and see if I get different results. I’d be happy to DM you with a HAR file also. Additionally, I don’t think I mentioned that I’m also using the React SDK client-side and I’m retrieving the access token silently through the getAccessTokenSilently method. It could be that I have something not configured correctly in my provider. I’ll test a couple more things and post an update here soon.

Also, the Auth0Provider is configured like this in my application:

<Auth0Provider
    useRefreshTokens
    domain={MY_DOMAIN}
    clientId={MY_CLIENT_ID}
    redirectUri={REDIRECT_URI}
    scope="openid profile email"
    audience={MY_API}
    cacheLocation="localstorage">
    ...
</Auth0Provider>
1 Like

Hey @rueben.tiow, you’ll have to be patient with me because I am by no means an OAuth or Auth0 expert. I attempted the request you created above in Postman and it returned the universal login page and I’m not sure how to go from that to an access token (at least not in Postman). I’m sure that’s me doing something wrong but I’m not sure what I’m doing incorrectly. Or maybe that’s normal? Perhaps I’m not supposed to be able to perform the flow in Postman. If that’s the case, where should I perform this request from?

If you could provide some more instruction on how exactly to set this up it would be greatly appreciated.

Thank you!

1 Like

In the meantime, here is a sample of the token data I have access to in my SPA:

{
    "iss": "<API_AUDIENCE>",
    "sub": "google-oauth2|<id>",
    "aud": [
        "<API_AUDIENCE>",
        "<APP_AUDIENCE>/userinfo"
    ],
    "iat": 1673538464,
    "exp": 1673624864,
    "azp": "<redacted>",
    "scope": "openid profile email",
    "permissions": []
}
1 Like

Well this is getting immortalized here. If you see the permissions claim but don’t see any permissions inside the claim, make sure your role has permissions in it :sweat_smile:

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.