Auth0 Home Blog Docs

JWT validaiton scope issue

Hi,

I am building role-based access control ([RBAC], I want to get users role-based permission in my access token. So I wrote a rule as follows.
Now am getting scope inside a namespace parameter.

ie
{
http://user.com/roles”: [
“vendor”
],
http://scope.com/scope”: [
“create:users”,
“delete:users”,
“read:users”,
“update:users”
],
“nickname”: “dibeesh”
}

But am doing jwt validation as per this documentation https://auth0.com/docs/quickstart/backend/nodejs/01-authorization
and they want scope inside token in a format like below

{
http://user.com/roles”: [
“vendor”
],
“scope”: [
“create:users”,
“delete:users”,
“read:users”,
“update:users”
],
“nickname”: “dibeesh”
}

So I tried to pass ‘permission’ without namespaces in the ‘rule’, but it’s not working for me, and I read that 'Removing the namespace from custom claims isn’t
possible’ie (Custom claim without namespace)

eg://
context.idToken[‘scope’] = permissionsArr;

How to achieve scope validation using without passing scope as namespace?

function (user, context, callback) {
var map = require(‘array-map’);
var ManagementClient = require(‘auth0@2.17.0’).ManagementClient;
var management = new ManagementClient({
token: auth0.accessToken,
domain: auth0.domain
});
const namespace = ‘http://scope.com’;

var params = { id: user.user_id, page: 0, per_page: 50, include_totals: true };
management.getUserPermissions(params, function (err, permissions) {
if (err) {
// Handle error.
console.log('err: ', err);
callback(err);
} else {
var permissionsArr = map(permissions.permissions, function (permission) {
return permission.permission_name;
});
context.idToken[namespace + ‘/scope’] = {
scope: permissionsArr
};
context.idToken[‘scope’] = permissionsArr;
}
callback(null, user, context);
});
}

Repeating the answer from the other thread here for visibility. We can continue the conversation here or there, feel free to respond to either.

@dibeesh,

You will need to request the scopes with the token.

Just to clarify, we are talking about permissions in two different ways here.

First, when we talk about scopes (specifically the scope claim in the token) we are talking about the permissions that have been requested with the token and been granted. See this document to understand how to request scopes with for the token:

Second, when we are adding the permissions to the token in a custom claim in a rule, we are simply adding all of the available permissions for the user to a custom claim, indicating what permissions the user can request. There is not a straightforward way to do this because it is kind of working around the intended purpose of the scope claim.

Hope this helps!

Thanks,
Dan

1 Like

Thank you…solved the validation issue in express-jwt-authz npm itself, they have a ‘customScopeKey’ option to get the scope from that variable.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.