In a rule, user.permissions is empty

zblocker_debtx · July 6, 2020, 10:58pm

I have an API with a permission, and I’ve assigned that permission to a role, and that role to a user.

I am trying to build a rule which puts user permissions in the ID token. I have tried user.permissions and also context.authorization.permissions. Neither are yielding any data.

I have also tried explicitly turning on RBAC for the API I created, and checking the setting that says “Add Permissions in the Access Token”. Nothing seems to expose those properties in either user.permissions or context.authorization.permissions.

Help?

art.rosnovsky · July 7, 2020, 12:01am

Hey @zblocker_debtx!

I may be completely off here, but have you tried this, especially this part:

[enable] “Add Permissions in the Access Token” (or enable RBAC via the Management API and set the Token Dialect to access_token_authz)

Token Dialect is key here: if set to access_token, no permissions will be available.

In theory, if your accessToken contains roles/permissions, you should be able to assign these roles to users.

You may not need roles here per se, but I hope it points you in the right direction. If not, let me know and let’s investigate this further.

zblocker_debtx · July 7, 2020, 12:58am

Unfortunately that seems to have no effect whatsoever. I tried it with “Enable RBAC” on and also “Add Permissions in the Access Token”, and then turned off “Add Permissions in the Access Token” but left on “Enable RBAC”, then turned both off.

In all cases, the same thing happened:

user.permissions - Null or undefined
user.roles - Null or undefined
context.authorization.permissions - Null or undefined
context.authorization.roles - The array of roles correctly populated.

So no matter what my “RBAC” settings for my API are, I get roles and only roles, no permissions in either of the two places I looked.

zblocker_debtx · July 7, 2020, 1:05am

One more - I’m not getting any hits on context.accessToken.scope either, no matter what the API’s RBAC settings. Just thought I’d try that one too.

zblocker_debtx · July 7, 2020, 2:08pm

I think I am beginning to understand. We are not currently using the Authorization Extension as shown here.

Does this mean that if we use Core instead of Extension method of RBAC, that we do not have programmatic access to permissions in a rule?

dillon.z · August 30, 2020, 8:32pm

bump on this, I have the same question.

konrad.sopala · August 31, 2020, 8:35am

Hey there @art.rosnovsky, can you follow up on this? Thank you!

zblocker_debtx · August 31, 2020, 1:42pm

My conclusion at the time, to the best of my knowledge was that only the extension offered programmatic access to the collections I was interested in. But that seems to be a completely different system than Core.