In a rule, user.permissions is empty

I have an API with a permission, and I’ve assigned that permission to a role, and that role to a user.

I am trying to build a rule which puts user permissions in the ID token. I have tried user.permissions and also context.authorization.permissions. Neither are yielding any data.

I have also tried explicitly turning on RBAC for the API I created, and checking the setting that says “Add Permissions in the Access Token”. Nothing seems to expose those properties in either user.permissions or context.authorization.permissions.


1 Like

Hey @zblocker_debtx!

I may be completely off here, but have you tried this, especially this part:

[enable] “Add Permissions in the Access Token” (or enable RBAC via the Management API and set the Token Dialect to access_token_authz)

:point_up_2: Token Dialect is key here: if set to access_token, no permissions will be available.

In theory, if your accessToken contains roles/permissions, you should be able to assign these roles to users.

You may not need roles here per se, but I hope it points you in the right direction. If not, let me know and let’s investigate this further.

1 Like

Unfortunately that seems to have no effect whatsoever. I tried it with “Enable RBAC” on and also “Add Permissions in the Access Token”, and then turned off “Add Permissions in the Access Token” but left on “Enable RBAC”, then turned both off.

In all cases, the same thing happened:

  • user.permissions - Null or undefined
  • user.roles - Null or undefined
  • context.authorization.permissions - Null or undefined
  • context.authorization.roles - The array of roles correctly populated.

So no matter what my “RBAC” settings for my API are, I get roles and only roles, no permissions in either of the two places I looked.

One more - I’m not getting any hits on context.accessToken.scope either, no matter what the API’s RBAC settings. Just thought I’d try that one too.

I think I am beginning to understand. We are not currently using the Authorization Extension as shown here.

Does this mean that if we use Core instead of Extension method of RBAC, that we do not have programmatic access to permissions in a rule?

bump on this, I have the same question.

Hey there @art.rosnovsky, can you follow up on this? Thank you!

My conclusion at the time, to the best of my knowledge was that only the extension offered programmatic access to the collections I was interested in. But that seems to be a completely different system than Core.

Bump. I ended up here from facing the same issue. Can someone please provide an answer to this?

Do not want to start building our app on a system planned to be deprecated.
Thanks :slight_smile:

Hey there @art.rosnovsky, friendly ping :slight_smile:


I have enabled both RBAC and “Add Permissions in the Access Token”. I am seeing the correct permissions on my .NET API security context/identity but am not seeing them in user.permissions in the rule context.

Is there something else required to enable population of the user.permissions property in the rule context?

Dang it, my apologies folks, totally missed the responses :((

Let me take a closer look. Please, DM me tenant names and sample user IDs, and I’ll check the rules/roles/users you folks have.

Again, sorry for the delay, 2020 has been crazy :confused:

1 Like

No worries man! We all experience that!

Hey everyone it seems that it’s closely related to the issue that those people are reporting:

@supun is working on that so as soon as we find something we’ll let you know! Sorry for the inconvenience!

1 Like

not sure if this is still an open question, but I was able to get the permissions (core, not extension) with: idTokenClaims[${namespace}/permissions] = user.app_metadata.authorization.permissions||[];

1 Like

Thanks for sharing that with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.