JWT permissions empty

I have 3 apps, frontend (SPA), backend (Machine-machine NextJS SSR), and a newly developed API with RBAC enabled.

  • The frontend and backend are working fine. I’ve also added some custom roles to namespaced custom claims (via actions) and can check for them on the backend to do server-side rendering, for example: if the user has role admin, render the admin page.

  • Now we’re introducing a new API with both RBAC and “Add permissions to token” enabled. When I go to the test page to generate a test token and check it on jwt.io, the permissions array is empty. I understand why this is the case, I’m not logging as the user.

  • Next I added a few test permissions for the API, eg read:stats, write:stats and added them to the admin role which my test user clear has.

Now my issue is when I inspect the accessToken (not idToken) from the SPA, I only see custom claims, I added in the actions, but not the permissions array.

Do I need to manually add the permissions array as custom claims? or use the auth extension?

The custom API settings page clearly states:

If this setting is enabled, the Permissions claim will be added to the access token.

Hi @nacho,

Thanks for reaching out to the Auth0 Community!

I understand that you would like some clarification around adding Permissions to Tokens.

From what I can tell, it looks like you have configured RBAC correctly and have enabled the correct setting (Add permissions to token).

However, after my tests, I found the same observations where the permissions array is not populated.

In this situation, I recommend working around this situation by appending the permissions as a custom claim in the Access Token.

I hope this helps!

Please let me know if you need any further help.