Including organization member' permission in the IdToken

Hi folks,

I’m looking for a way to include Organization Members’ permissions inside the id token. Following this thread, I was able to include the user’s permissions, however as I’m using the Organization concept, what I need is actually the permissions from that user inside the Organization.

I’m not seeing any method in the Management API that I can use to accomplish that. If I go for the user’s permissions, every time my app assigns a role to a user inside an organization (member), I would need to assign the same role to the user outside the organization.

Also, when I enable the RBAC with permissions inside the access token, it uses the permissions from the organization. It can cause discrepancy if I have users’ permissions in the id token and organization users’ permissions in the access token.

Hi @matheus.ferreira,

Welcome to the Auth0 Community!

I am looking into your inquiry and will get back to you as soon as I have updates.

Thank you.

Hi @matheus.ferreira,

Thank you for your patience.

After looking into this further, there are some things I would like to address.

First, the permissions assigned to a user are not dependent on an Organization, but rather on the API; Meaning that they are separate from one another.

Moreover, the thread you shared is the correct way to get the user’s permissions appended to the ID token. The proposed Rule will append the user’s permissions to the ID token for every user, regardless of their Organization status. With that said, I can confirm that this approach is correct.

Next, when enabling the Add Permissions in the Access Token toggle in your API RBAC settings, it will append a permissions claim in the Access token of the permissions assigned to the user. Recall that the user can be assigned from a list of permissions created for the API.

In this case, the access token would look something like the following:

  //Redacted claims for brevity
  "permissions": [

Circling back, I recommend using the Rule to append the user’s permission to your ID token.

I hope this addresses your concerns.

Please do not hesitate to reach out if you have any further questions.

Thank you.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.