I’m looking for a way to include Organization Members’ permissions inside the id token. Following this thread, I was able to include the user’s permissions, however as I’m using the Organization concept, what I need is actually the permissions from that user inside the Organization.
I’m not seeing any method in the Management API that I can use to accomplish that. If I go for the user’s permissions, every time my app assigns a role to a user inside an organization (member), I would need to assign the same role to the user outside the organization.
Also, when I enable the RBAC with permissions inside the access token, it uses the permissions from the organization. It can cause discrepancy if I have users’ permissions in the id token and organization users’ permissions in the access token.
After looking into this further, there are some things I would like to address.
First, the permissions assigned to a user are not dependent on an Organization, but rather on the API; Meaning that they are separate from one another.
Moreover, the thread you shared is the correct way to get the user’s permissions appended to the ID token. The proposed Rule will append the user’s permissions to the ID token for every user, regardless of their Organization status. With that said, I can confirm that this approach is correct.
Next, when enabling the Add Permissions in the Access Token toggle in your API RBAC settings, it will append a permissions claim in the Access token of the permissions assigned to the user. Recall that the user can be assigned from a list of permissions created for the API.
In this case, the access token would look something like the following: