I have 3 apps, frontend (SPA), backend (Machine-machine NextJS SSR), and a newly developed API with RBAC enabled.
The frontend and backend are working fine. I’ve also added some custom roles to namespaced custom claims (via actions) and can check for them on the backend to do server-side rendering, for example: if the user has role admin, render the admin page.
Now we’re introducing a new API with both RBAC and “Add permissions to token” enabled. When I go to the test page to generate a test token and check it on jwt.io, the permissions array is empty. I understand why this is the case, I’m not logging as the user.
Next I added a few test permissions for the API, eg
write:statsand added them to the admin role which my test user clear has.
Now my issue is when I inspect the accessToken (not idToken) from the SPA, I only see custom claims, I added in the actions, but not the permissions array.
Do I need to manually add the permissions array as custom claims? or use the auth extension?
The custom API settings page clearly states:
If this setting is enabled, the Permissions claim will be added to the access token.