In a rule, user.permissions is empty

zblocker_debtx · July 6, 2020, 10:58pm

I have an API with a permission, and I’ve assigned that permission to a role, and that role to a user.

I am trying to build a rule which puts user permissions in the ID token. I have tried user.permissions and also context.authorization.permissions. Neither are yielding any data.

I have also tried explicitly turning on RBAC for the API I created, and checking the setting that says “Add Permissions in the Access Token”. Nothing seems to expose those properties in either user.permissions or context.authorization.permissions.

Help?

art.rosnovsky · July 7, 2020, 12:01am

Hey @zblocker_debtx!

I may be completely off here, but have you tried this, especially this part:

[enable] “Add Permissions in the Access Token” (or enable RBAC via the Management API and set the Token Dialect to access_token_authz)

Token Dialect is key here: if set to access_token, no permissions will be available.

In theory, if your accessToken contains roles/permissions, you should be able to assign these roles to users.

You may not need roles here per se, but I hope it points you in the right direction. If not, let me know and let’s investigate this further.

zblocker_debtx · July 7, 2020, 12:58am

Unfortunately that seems to have no effect whatsoever. I tried it with “Enable RBAC” on and also “Add Permissions in the Access Token”, and then turned off “Add Permissions in the Access Token” but left on “Enable RBAC”, then turned both off.

In all cases, the same thing happened:

user.permissions - Null or undefined
user.roles - Null or undefined
context.authorization.permissions - Null or undefined
context.authorization.roles - The array of roles correctly populated.

So no matter what my “RBAC” settings for my API are, I get roles and only roles, no permissions in either of the two places I looked.

zblocker_debtx · July 7, 2020, 1:05am

One more - I’m not getting any hits on context.accessToken.scope either, no matter what the API’s RBAC settings. Just thought I’d try that one too.

zblocker_debtx · July 7, 2020, 2:08pm

I think I am beginning to understand. We are not currently using the Authorization Extension as shown here.

Does this mean that if we use Core instead of Extension method of RBAC, that we do not have programmatic access to permissions in a rule?

dillon.z · August 30, 2020, 8:32pm

bump on this, I have the same question.

konrad.sopala · August 31, 2020, 8:35am

Hey there @art.rosnovsky, can you follow up on this? Thank you!

zblocker_debtx · August 31, 2020, 1:42pm

My conclusion at the time, to the best of my knowledge was that only the extension offered programmatic access to the collections I was interested in. But that seems to be a completely different system than Core.

services2 · October 23, 2020, 3:45am

Bump. I ended up here from facing the same issue. Can someone please provide an answer to this?

Do not want to start building our app on a system planned to be deprecated.
Thanks

konrad.sopala · October 23, 2020, 6:51am

Hey there @art.rosnovsky, friendly ping

Edward · October 23, 2020, 4:39pm

@art.rosnovsky,

I have enabled both RBAC and “Add Permissions in the Access Token”. I am seeing the correct permissions on my .NET API security context/identity but am not seeing them in user.permissions in the rule context.

Is there something else required to enable population of the user.permissions property in the rule context?

art.rosnovsky · October 23, 2020, 8:58pm

Dang it, my apologies folks, totally missed the responses :((

Let me take a closer look. Please, DM me tenant names and sample user IDs, and I’ll check the rules/roles/users you folks have.

Again, sorry for the delay, 2020 has been crazy

konrad.sopala · October 26, 2020, 1:26pm

No worries man! We all experience that!

konrad.sopala · October 28, 2020, 12:24pm

Hey everyone it seems that it’s closely related to the issue that those people are reporting:

@supun is working on that so as soon as we find something we’ll let you know! Sorry for the inconvenience!