JWT validaiton scope issue

dibeesh · October 24, 2019, 4:23am

Hi,

I am building role-based access control ([RBAC], I want to get users role-based permission in my access token. So I wrote a rule as follows.
Now am getting scope inside a namespace parameter.

ie
{
“http://user.com/roles”: [
“vendor”
],
“http://scope.com/scope”: [
“create:users”,
“delete:users”,
“read:users”,
“update:users”
],
“nickname”: “dibeesh”
}

But am doing jwt validation as per this documentation Auth0 Node (Express) API SDK Quickstarts: Authorization
and they want scope inside token in a format like below

{
“http://user.com/roles”: [
“vendor”
],
“scope”: [
“create:users”,
“delete:users”,
“read:users”,
“update:users”
],
“nickname”: “dibeesh”
}

So I tried to pass ‘permission’ without namespaces in the ‘rule’, but it’s not working for me, and I read that 'Removing the namespace from custom claims isn’t
possible’ie (Custom claim without namespace)

eg://
context.idToken[‘scope’] = permissionsArr;

How to achieve scope validation using without passing scope as namespace?

function (user, context, callback) {
var map = require(‘array-map’);
var ManagementClient = require(‘auth0@2.17.0’).ManagementClient;
var management = new ManagementClient({
token: auth0.accessToken,
domain: auth0.domain
});
const namespace = ‘http://scope.com’;

var params = { id: user.user_id, page: 0, per_page: 50, include_totals: true };
management.getUserPermissions(params, function (err, permissions) {
if (err) {
// Handle error.
console.log('err: ', err);
callback(err);
} else {
var permissionsArr = map(permissions.permissions, function (permission) {
return permission.permission_name;
});
context.idToken[namespace + ‘/scope’] = {
scope: permissionsArr
};
context.idToken[‘scope’] = permissionsArr;
}
callback(null, user, context);
});
}

dan.woda · October 24, 2019, 11:24pm

Repeating the answer from the other thread here for visibility. We can continue the conversation here or there, feel free to respond to either.

@dibeesh,

You will need to request the scopes with the token.

Just to clarify, we are talking about permissions in two different ways here.

First, when we talk about scopes (specifically the scope claim in the token) we are talking about the permissions that have been requested with the token and been granted. See this document to understand how to request scopes with for the token:

Second, when we are adding the permissions to the token in a custom claim in a rule, we are simply adding all of the available permissions for the user to a custom claim, indicating what permissions the user can request. There is not a straightforward way to do this because it is kind of working around the intended purpose of the scope claim.

Hope this helps!

Thanks,
Dan

dibeesh · October 25, 2019, 4:08am

Thank you…solved the validation issue in express-jwt-authz npm itself, they have a ‘customScopeKey’ option to get the scope from that variable.

system · November 9, 2019, 4:08am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.