How to get all user Claims with tokenOptions

I see lots of variations and getting confused

But I want to send token with all his/her claims, to the backend service.
The below
{
uri: ‘/server/api/v1/stas/liam/*’,
tokenOptions: {
audience: ‘http://localhost:8080’,
scope: ‘view:account’,
},
},
[openid, profile, email view:account]

If I dont specify tokenOptions, then scoped in backend is [openid, profile, email] only

But what if the user has 3 more?
Another user may have only 2 claims. I want my backend to manage - access or deny, not the front end.

Is this possible? Is there an example?

Also wondering how brand new users are granted claims?

Hi @k-auth0,

It sounds like the info your API needs should be encoded in the Access Token that Auth0 issues to your application after login.

After authentication takes place, Auth0 will issue an ID Token and an Access Token. The ID Token is used for your frontend to identify the user. The Access Token is sent as a bearer token in the authorization header with each API request. When you register your API, you can use the API Identifier as the audience for your application, then you’ll be issued JWT for the Access Token. Your API can validate and decode the JWT to see the claims:

{
  "iss": "https://yourtenant.us.auth0.com/",
  "sub": "google-oauth2|123456789",
  "aud": [
    "https://test.com",
    "https://yourtenant.us.auth0.com/userinfo"
  ],
  "iat": 1615979031,
  "exp": 1615979051,
  "azp": "Ti6gD0OcKmwbcl4khL82qYrLRqt4Yate",
  "scope": "openid profile email read:messages"
}

You can find libraries for validating and decoding JWTs at jwt.io.

Here is how to register an API:

Please let me know if this is the info you’re looking for! Thank you!

Thanks. The answer is at very high level.
You suggested to read - register API. I think I did it. I created permissions/scopes etc. That configuration is complete.
Next step application - the SPA
the environment.ts, that uses httpInterceptor. In allowedList, I want to specify about backend endpoint

{
uri: ‘/server/api/v1/stas/liam/*’,
tokenOptions: {
audience: ‘http://localhost:8080’,
scope: ‘view:account’,
},
},

Imagine I want to specify many scopes
view:account, view:balance view:address

A brand new user user starts application, completed Auth0 login. How will he get the scopes? Do I need to monitor and do grant like an admin? Till that time the progress bar keeps looping?

Scenario2 : I have a user1 with view:account only permission, user2 with view:account, view:balance scopes/permissions

what should I specify in environment.ts?

scope: ‘view:account’,
or
scope: ‘view:account’,‘view:balance’ (dont mind if it should be ‘view:account view:balance’)
But will user1 be allowed to go back to my spring backend or stuck with “consent required” ?

It sounds like Enable Role-Based Access Control for APIs might help you achieve this. Instead of specifying scopes in your environment.ts, users can be assigned roles that have permissions associated with the role. The permissions associated with each role can be added to the Access Token.

screenshot-manage.auth0.com-2021.03.19-10_32_121064×357 24.2 KB

Also, here is an FAQ for assigning a default role to users automatically when they log in for the first time: How do I add a default role to a new user on first login?

Thanks for this. RBAC and Add permissions enabled. But I am not getting what I want.

Testing scenario: I have the spring app, that looks for all claims and prints. sub: auth0|5fba*** , scope: openid profile email
Test Client: Postman is invoking spring endpoint with authorization. including Scope = openid profile email view:account

But I dont see the permission, I see in auth0 portals users and roles, >> users>> permissions, in spring app claims. why??

Knowing permissions of user is a very critical feature, and that should be available OOTB?

I have no idea on the workings of Enable RBAC, Add Permissions in the Access Token .
Yikes, even if I disable both - I see scope: openid profile email in jwt
I am restarting my spring app, angular app, brand new inprivate browser, still, don’t see any difference
Is this free account special?

I went to auth0 account >> users >> selected user >> permissions >> assigned permission >> Select permissions from existing APIs>> added a List of Permissions (Scopes) of API.
Still can’t see in claims? So confusing. Does it take time to take effect?

Yes, the scope property will be included always. Any setting changes you make should take effect right away.

You may need to set the token dialect so that the user permissions are added as a claim to the Access Token.

To do this, you can go to APIs > Auth0 Management API in your dashboard and select the API Explorer tab and copy the test Access Token.

Then go to Auth0 Management API v2 and click TRY to get the ID of your API.

Finally, update the token dialect by going to Auth0 Management API v2 and send the ID of the API and the token dialect setting:

{
  "token_dialect": "access_token_authz"
}

screenshot-auth0.com-2021.03.22-10_57_18745×707 31.6 KB

The decoded Access Token should look like this:

{
  "iss": "https://your-domain.us.auth0.com/",
  "sub": "google-oauth2|123456789",
  "aud": [
    "https://test.com",
    "https://your-domain.us.auth0.com/userinfo"
  ],
  "iat": 1616425103,
  "exp": 1616511503,
  "azp": "pOW4Xrkst9wHmCJuoBn80DGPHB7IQd2I",
  "scope": "openid profile email",
  "permissions": [
    "read:messages",
    "write:something"
  ]
}

The user’s permissions are added to the permissions claim ^

Thanks for trying to help.

I am sorry, that I’m really struggling with steps

To do this, you can go to APIs > Auth0 Management API in your dashboard and select the API Explorer tab and copy the test Access Token.

Ok I copied

Then go to Auth0 Management API v2 and click TRY to get the ID of your API.

should I click the above link? If yes, then I did, and clicked TRY button - Body is required. Should I assume that I need to paste the token and click TRY?

Also I was not sure where to use copied token, so replaced it for access_token_authz

Got error

{
“statusCode”: 401,
“error”: “Unauthorized”,
“message”: “Missing authentication”
}

Don’t understand why I am doing all this? We are talking about users, not just 1 user

You can paste the Management API Explorer Access Token using the button at the top left of the docs.

For the GET/api/v2/resource-servers endpoint, you can leave all of the fields blank to get a list of all of the APIs.

You’ll want to copy the ID of your API so that you can update its settings using the PATCH/api/v2/resource-servers/{id} endpoint.

After you’ve changed the settings, you should receive every users’ permissions in the Access Token.

Sorry, I have no understanding of all these suggestions. Looks like my question is totally different, and this is very difficult. I am java and angular developer

All I want to do is very simple - create API, SPA configure in my Angular and Spring.
(1)How to add more scopes/permissions? why user management >> user >> permissions are not coming to my backend service?
(2) Do I need to do anything in angular to tell Auth0, that I need scope? Eg - Do I need to use tokenOptions and use scope?

(3) If I have to specify, then I have to add to every endpoint (environment.ts) which is a nightmare
httpInterceptor: {
allowedList: [
{
uri: ‘/server/api/v1/todo//’,
tokenOptions: {
audience: ‘http://localhost:8080’,
scope: ‘view:something’,
},
}

P.S. I am deleting all my replies to this post.

Hi @k-auth0,

To get the user permissions added to the Access Token for your backend service, you can update the token_dialect setting to access_token_authz for your API via the Management API. Documentation: Sample Use Cases: Rules with Authorization

If there is a scope that every user will need, you can request it in the tokenOptions

If you add the scope to the environment, then the scope should always be requested.

I can try to troubleshoot what might be the issue via a HAR file. Could you send me a HAR file in a private message? Generate and Analyze HAR Files Thanks!

Not sure where I need to put this function, how it get invoked

function (user, context, callback) {
  const namespace = 'http://demozero.net';
  const assignedRoles = (context.authorization || {}).roles;

  let idTokenClaims = context.idToken || {};
  let accessTokenClaims = context.accessToken || {};

  idTokenClaims[`${namespace}/roles`] = assignedRoles;
  accessTokenClaims[`${namespace}/roles`] = assignedRoles;

  context.idToken = idTokenClaims;
  context.accessToken = accessTokenClaims;

  callback(null, user, context);
}

Is there a “Complete” example that tells how to do inside angular

The function is actually executed through an Auth0 Rule. Rules are Javascript functions that run after authentication which allow you to customize certain things such as adding custom claims to the Access Token/ID Token.

You can create a rule by going to Auth Pipeline > Rules in your Auth0 dashboard and clicking + CREATE RULE. Select Empty rule, and enter in the function and click Save.

This is saying roles, but I amusing permissions/scopes isnt?

EDIT: few more things…it uses http://demozero.net and I have no idea.

Is this rule applicable across all the applications in my account/tenant?

I created empty rule , and saved the script /function. There is a try button, and it gives John Doe. what is that?

I created Roles, added permissions and users.

But still struggling to get this working

EDIT: I enabled RBAC, allow roles blah blah

Now I get → http://demozero.net/roles: null

Capture1989×963 82.1 KB

Don’t understand how to get rid of that Go to configuration. Doesn’t tell if changes are saved or not

https://example.com/email: s***.com
http://demozero.net/roles: null
azp: Zk5****oS
permissions: null
scope: openid profile email

Can anyone help…why roles and permissions are null??

That’s correct, that rule adds roles to the Access Token and ID Token. If you wanted to add permissions to the Access Token, you’d enable RBAC for your API and enable “Add Permissions in the Access Token” or enable RBAC via the Management API and set the Token Dialect to access_token_authz as described above.

http://demozero.net1 is an example custom namespace. It’s required so that claims don’t collide with and reserved claims.

Rules execute for every application in your tenant. You can check the application name if you’d prefer to only run a rule for a particular application:

  if(context.clientName !== 'NameOfTheAppYouWantToRunRuleFor'){
    return callback(null, user, context);
  }

The John Doe data is just example data that you can try with rules, but you may want to actually log into your application with a user who you have assigned permissions to. You can go to Getting started in the dashboard and click Try it out under “Try your Login box”.

It looks like you are using the Authorization Extension instead of the Authorization Core (FAQ: Can I Use Authorization Core and Authorization Extension together?). Unfortunately, you cannot use both, so this may be what is causing the null values for permissions: Authorization Core vs. Authorization Extension

Here are the docs for the Authorization Extension (although the Authorization Core as described in the earlier posts is recommended): Authorization Extension

Please if you know, guide me in the right direction.
Removed Extensions

Still getting same response

aud: null
https://example.com/email: sv****.com
http://demozero.net/roles: null
azp: Z****QmdoS
permissions: null
scope: openid profile email

Where should I use this?

{
“token_dialect”: “access_token_authz”
}

I enabled RBAC and Add permission*** i.e. red underlined as in the article

Capture1995×466 99.3 KB

Try your Login box in Get started is giving

“http://demozero.net/roles”: [
“super”
]

Why it is not coming from Angular to Spring?

I am testing my backend using postman, even that is not giving the role