In a rule, user.permissions is empty

I have an API with a permission, and I’ve assigned that permission to a role, and that role to a user.

I am trying to build a rule which puts user permissions in the ID token. I have tried user.permissions and also context.authorization.permissions. Neither are yielding any data.

I have also tried explicitly turning on RBAC for the API I created, and checking the setting that says “Add Permissions in the Access Token”. Nothing seems to expose those properties in either user.permissions or context.authorization.permissions.


Hey @zblocker_debtx!

I may be completely off here, but have you tried this, especially this part:

[enable] “Add Permissions in the Access Token” (or enable RBAC via the Management API and set the Token Dialect to access_token_authz)

:point_up_2: Token Dialect is key here: if set to access_token, no permissions will be available.

In theory, if your accessToken contains roles/permissions, you should be able to assign these roles to users.

You may not need roles here per se, but I hope it points you in the right direction. If not, let me know and let’s investigate this further.

Unfortunately that seems to have no effect whatsoever. I tried it with “Enable RBAC” on and also “Add Permissions in the Access Token”, and then turned off “Add Permissions in the Access Token” but left on “Enable RBAC”, then turned both off.

In all cases, the same thing happened:

  • user.permissions - Null or undefined
  • user.roles - Null or undefined
  • context.authorization.permissions - Null or undefined
  • context.authorization.roles - The array of roles correctly populated.

So no matter what my “RBAC” settings for my API are, I get roles and only roles, no permissions in either of the two places I looked.

One more - I’m not getting any hits on context.accessToken.scope either, no matter what the API’s RBAC settings. Just thought I’d try that one too.

I think I am beginning to understand. We are not currently using the Authorization Extension as shown here.

Does this mean that if we use Core instead of Extension method of RBAC, that we do not have programmatic access to permissions in a rule?

bump on this, I have the same question.

Hey there @art.rosnovsky, can you follow up on this? Thank you!

My conclusion at the time, to the best of my knowledge was that only the extension offered programmatic access to the collections I was interested in. But that seems to be a completely different system than Core.