I have an API with a permission, and I’ve assigned that permission to a role, and that role to a user.
I am trying to build a rule which puts user permissions in the ID token. I have tried user.permissions and also context.authorization.permissions. Neither are yielding any data.
I have also tried explicitly turning on RBAC for the API I created, and checking the setting that says “Add Permissions in the Access Token”. Nothing seems to expose those properties in either user.permissions or context.authorization.permissions.
Unfortunately that seems to have no effect whatsoever. I tried it with “Enable RBAC” on and also “Add Permissions in the Access Token”, and then turned off “Add Permissions in the Access Token” but left on “Enable RBAC”, then turned both off.
In all cases, the same thing happened:
user.permissions - Null or undefined
user.roles - Null or undefined
context.authorization.permissions - Null or undefined
context.authorization.roles - The array of roles correctly populated.
So no matter what my “RBAC” settings for my API are, I get roles and only roles, no permissions in either of the two places I looked.
My conclusion at the time, to the best of my knowledge was that only the extension offered programmatic access to the collections I was interested in. But that seems to be a completely different system than Core.
I have enabled both RBAC and “Add Permissions in the Access Token”. I am seeing the correct permissions on my .NET API security context/identity but am not seeing them in user.permissions in the rule context.
Is there something else required to enable population of the user.permissions property in the rule context?
not sure if this is still an open question, but I was able to get the permissions (core, not extension) with: idTokenClaims[${namespace}/permissions] = user.app_metadata.authorization.permissions||[];