Issue with RBAC and Access Token Scopes in Auth0

FilipeBitwise · March 10, 2025, 10:39am

I am experiencing issues with Role-Based Access Control (RBAC) and access token scopes in Auth0 for my application, BoardMeeting.app. I have configured a user (secretary@boardmeeting.app) with restricted permissions to my API. This user has a “secretary” role configured in Auth0, which includes the “read:organizations” permission but not the “update:organizations” permission, which is assigned only to the “administrator” role.

Steps to Reproduce:

Configure a user (secretary@boardmeeting.app) with the “secretary” role in Auth0.
Assign the “read:organizations” permission to the “secretary” role.
Assign the “update:organizations” permission to the “administrator” role.
Use the Resource Owner Password Flow to obtain an access token with the following request:

POST https://{{Auth0Domain}}/oauth/token
Content-Type: application/json
{
  "grant_type":"password",
  "username":"secretary@boardmeeting.app",
  "password":"{{Auth0UserSecretaryPassword}}",
  "audience":"https://api.boardmeeting.app/api/",
  "scope":"profile email",
  "client_id":"{{Auth0WebappClientId}}",
  "client_secret":"{{Auth0WebappClientSecret}}"
}

Observed Behavior:

When RBAC is enabled in the API, the access token returned does not include any API scopes:

{
  "access_token": "eyJhbGciOi...",
  "scope": "profile email",
  "expires_in": 86400,
  "token_type": "Bearer"
}

When “Add permissions to the access token” is enabled, the access token still does not include the expected API scopes:

{
  "access_token": "...",
  "scope": "profile email",
  "expires_in": 86400,
  "token_type": "Bearer"
}

When RBAC is disabled, the access token includes all scopes in the API, including those the user does not have!

{
  "access_token": "eyJhbG...",
  "scope": "profile email read:organizations update:organizations read:boards ...",
  "expires_in": 86400,
  "token_type": "Bearer"
}

Expected Behavior: The access token should include only the scopes assigned to the user’s role when RBAC is enabled and “Add permissions to the access token” is enabled.

Please advise on how to resolve this issue.

Thank you.

Topic		Replies	Views
API RBAC, Auth0 Actions, RWA Get Help	2	2483	December 21, 2022
Issue with getting allowed scopes in token Get Help management-api , users	5	52	October 17, 2024
RBAC Core - Access Token does not contain permissions in the scope with spring boot Get Help jwt , auth0 , spring-boot	7	5588	October 6, 2021
Auth0 JWT doesn't have requested API Scopes Get Help jwt , scopes	10	4562	September 4, 2021
Authorization Core setup Get Help apis , application	5	301	May 15, 2024

Issue with RBAC and Access Token Scopes in Auth0

Related topics