How to get all user Claims with tokenOptions

You can paste the Management API Explorer Access Token using the button at the top left of the docs.

screenshot-auth0.com-2021.03.23-07_06_15

For the GET/api/v2/resource-servers endpoint, you can leave all of the fields blank to get a list of all of the APIs.

You’ll want to copy the ID of your API so that you can update its settings using the PATCH/api/v2/resource-servers/{id} endpoint.

After you’ve changed the settings, you should receive every users’ permissions in the Access Token.

Sorry, I have no understanding of all these suggestions. Looks like my question is totally different, and this is very difficult. I am java and angular developer

All I want to do is very simple - create API, SPA configure in my Angular and Spring.
(1)How to add more scopes/permissions? why user management >> user >> permissions are not coming to my backend service?
(2) Do I need to do anything in angular to tell Auth0, that I need scope? Eg - Do I need to use tokenOptions and use scope?

(3) If I have to specify, then I have to add to every endpoint (environment.ts) which is a nightmare
httpInterceptor: {
allowedList: [
{
uri: ‘/server/api/v1/todo//’,
tokenOptions: {
audience: ‘http://localhost:8080’,
scope: ‘view:something’,
},
}

P.S. I am deleting all my replies to this post.

Hi @k-auth0,

To get the user permissions added to the Access Token for your backend service, you can update the token_dialect setting to access_token_authz for your API via the Management API. Documentation: Sample Use Cases: Rules with Authorization

If there is a scope that every user will need, you can request it in the tokenOptions

If you add the scope to the environment, then the scope should always be requested.

I can try to troubleshoot what might be the issue via a HAR file. Could you send me a HAR file in a private message? Generate and Analyze HAR Files Thanks!

Not sure where I need to put this function, how it get invoked

function (user, context, callback) {
  const namespace = 'http://demozero.net';
  const assignedRoles = (context.authorization || {}).roles;

  let idTokenClaims = context.idToken || {};
  let accessTokenClaims = context.accessToken || {};

  idTokenClaims[`${namespace}/roles`] = assignedRoles;
  accessTokenClaims[`${namespace}/roles`] = assignedRoles;

  context.idToken = idTokenClaims;
  context.accessToken = accessTokenClaims;

  callback(null, user, context);
}

Is there a “Complete” example that tells how to do inside angular

The function is actually executed through an Auth0 Rule. Rules are Javascript functions that run after authentication which allow you to customize certain things such as adding custom claims to the Access Token/ID Token.

You can create a rule by going to Auth Pipeline > Rules in your Auth0 dashboard and clicking + CREATE RULE. Select Empty rule, and enter in the function and click Save.

This is saying roles, but I amusing permissions/scopes isnt?

EDIT: few more things…it uses http://demozero.net and I have no idea.

Is this rule applicable across all the applications in my account/tenant?

I created empty rule , and saved the script /function. There is a try button, and it gives John Doe. what is that?

I created Roles, added permissions and users.

But still struggling to get this working

EDIT: I enabled RBAC, allow roles blah blah

Now I get → http://demozero.net/roles: null

Don’t understand how to get rid of that Go to configuration. Doesn’t tell if changes are saved or not

https://example.com/email: s***.com
http://demozero.net/roles: null
azp: Zk5****oS
permissions: null
scope: openid profile email

Can anyone help…why roles and permissions are null??

That’s correct, that rule adds roles to the Access Token and ID Token. If you wanted to add permissions to the Access Token, you’d enable RBAC for your API and enable “Add Permissions in the Access Token” or enable RBAC via the Management API and set the Token Dialect to access_token_authz as described above.

http://demozero.net1 is an example custom namespace. It’s required so that claims don’t collide with and reserved claims.

Rules execute for every application in your tenant. You can check the application name if you’d prefer to only run a rule for a particular application:

  if(context.clientName !== 'NameOfTheAppYouWantToRunRuleFor'){
    return callback(null, user, context);
  }

The John Doe data is just example data that you can try with rules, but you may want to actually log into your application with a user who you have assigned permissions to. You can go to Getting started in the dashboard and click Try it out under “Try your Login box”.

It looks like you are using the Authorization Extension instead of the Authorization Core (FAQ: Can I Use Authorization Core and Authorization Extension together?). Unfortunately, you cannot use both, so this may be what is causing the null values for permissions: Authorization Core vs. Authorization Extension

Here are the docs for the Authorization Extension (although the Authorization Core as described in the earlier posts is recommended): Authorization Extension

Please if you know, guide me in the right direction.
Removed Extensions

Still getting same response

aud: null
https://example.com/email: sv****.com
http://demozero.net/roles: null
azp: Z****QmdoS
permissions: null
scope: openid profile email

Where should I use this?

{
“token_dialect”: “access_token_authz”
}

I enabled RBAC and Add permission*** i.e. red underlined as in the article

Try your Login box in Get started is giving

http://demozero.net/roles”: [
“super”
]

Why it is not coming from Angular to Spring?

I am testing my backend using postman, even that is not giving the role

Can anyone help here? Do i need any special settings in postman?

Hi @k-auth0,

Unfortunately, I’m not familiar with Spring at all, but I will try to help! Are you testing your API in Postman using the Access Token you receive after logging into the Angular app as the Bearer token in the Authorization header? Have you tried logging the token you are receiving in the API to see the entire token and decoding it at https://jwt.io/?

To clarify, In above scenario - Angular is out of scope. Postman is invoking endpoint, and Spring is scanning the token and printing all properties - claims, scopes permissions…

may be I have to use the below

1 Like

I think the tutorial would be a great example to follow! You can also check out the Spring quickstart if your haven’t already: Auth0 Java Spring Boot SDK Quickstarts: Login

Still Nightmares

Once there was this object - AuthenticationJsonWebToken

May be it is now - @AuthenticationPrincipal OidcUser principal

The example doesn’t give enough logs to understand. I would be nice to write small example, which I think is part of unit testing, as Spring users is one huge community. Lots of ellipses in the example {…}

@DeleteMapping(“/{id}”)
@PreAuthorize(“hasAuthority(‘delete:items’)”) // :sparkles: :point_left: New line :sparkles:
public ResponseEntity delete(@PathVariable(“id”) Long id) {…}

@ExceptionHandler(MethodArgumentNotValidException.class)
public ResponseEntity<Map<String, String>> handleValidationExceptions(
        MethodArgumentNotValidException ex) {...}

Too much forcing like -@EnableGlobalMethodSecurity(prePostEnabled = true) and endpoints @PreAuthorize(“hasAuthority(‘create:items’)”) is unwanted

Can anyone tell me - how can I print the claims using the above example.

Ok. Sorted

In an endpoint signature, we can add this default bean - JwtAuthenticationToken authentication

@GetMapping()
public String getSomething(final JwtAuthenticationToken authentication) {

authentication.getTokenAttributes().entrySet().stream().forEach(e → System.out.println(e.getKey()+": "+ e.getValue().toString()));

}

I have to now figure out, the minimal code needed for the functionality
https://auth0.com/blog/spring-boot-authorization-tutorial-secure-an-api-java/#

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.