We aren’t seeing permissions returned through the logical API as we’d expect. We have the user assigned a role with permissions from the linked APIs and are requesting them as scopes when we request the token. RBAC and is turned on for each API and so is the “Add Permissions to Token” option. In each linked API, we’ve granted all permissions to the logical API and authorized it to request tokens.
Is there any obvious reason this setup wouldn’t just work? Thanks!
Welcome to the Auth0 Community!
I have just tested RBAC with permissions on my tenant and was successfully able to request an access token with the permissions in the token. See below:
Could please clarify if you have included the audience parameter in the /authorize request? If not, I recommend setting your logical API identifier as the audience parameter of the request.
This should request an access token with the permissions array in the data.
Please let me know how it goes for you.
Thanks,
Rueben
we’ve set the proper audience yes. I see that you aren’t requesting any scopes so are the permissions you have returned role based and part of the same logical API? I’d like to request a custom scope for permissions that are provided by a linked API and forwarded through the logical API. Have you seen that work? Thanks
Thank you for your response.
The permissions returned in the Access Token is role based and part of the same API when using RBAC.
Yes, you can make a request with custom scopes and get the permissions of the user for that API.
To make a request with custom scopes, you will need to include them in the scope parameter of the request.
And to get the permissions in the access token, you will need to enable the RBAC settings of your Logical API. I believe you have done this step already.
Does that help?
Thanks,
Rueben
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
