M2M + API: empty permissions

Hi there .

I have one API with one permission, with “Enable RBAC” and “Add permissions in the Access token” enabled.

Then I have one application Machine to Machine.

The application is Authorized in the API.

When I get a token for the Machine to Machine application, the permission array it’s empty.

Why this is not populated ?

  "iss": "https://xxx.eu.auth0.com/",
  "sub": "BnfXvMslcw11JSEMGEWI2OcOTqeXaR8c@clients",
  "aud": "api-m2m",
  "iat": 1636149139,
  "exp": 1636235539,
  "azp": "BnfXvMslcw11JSEMGEWI2OcOTqeXaR8c",
  "gty": "client-credentials",
  "permissions": []

Hi @juan.garbora,

Thanks for reaching out to the Auth0 Community!

I understand that your access token does not have any permissions that you need to access your API.

Usually, when permissions are missing from your access token, it is due to not specifying the scope parameter when requesting an access token.

If this is the case, I recommend that you request the access token with specific scopes that you need.

By doing so, the access token will have specific permissions granted to gain access to a resource.

Please let me know how this works for you.

Thank you.

Thank you @rueben.tiow for your answer.

I can’t find how to set the scopes. Currently I am getting the m2m token like this:

curl --location --request POST 'https://jgarbora.eu.auth0.com/oauth/token' \
--header 'Content-Type: application/json' \
--data-raw '{
    "client_id": "BnfXvMslcw11JSEMGEWI2OcOTqeXaR8c",
    "client_secret": "<client-secret>",
    "audience": "api-m2m",
    "grant_type": "client_credentials"

How should I set the scopes for getting the permissions populated in the JWT ?

Hi @juan.garbora,

Thank you for your response.

Before continuing, I have a few troubleshooting steps to make sure that you have configured everything correctly on your Auth0 Dashboard.

First, could you please check that your api-m2m API has configured a list of permissions (scopes)?
You can check by going to the Dashboard > Applications > API > api-m2m > Permissions.

Then, could you please check if you have authorized and assigned those permissions to your application?
You can check on the Machine-to-Machine Applications tab in your API settings and click on the drop-down arrow of an authorized application to assign permissions. Please don’t forget to save your changes.

After that is complete, you can make the same request again, and you should have the defined permissions in the access token.

With that said, I’d like to clarify that you do not need to specify the scope parameter in the request when using a client_credentials grant. The permissions are already assigned to the client. Therefore, the access token will contain those permissions.

The scope parameter is used during an authorization code flow which is not used here.

Please let me know how this goes for you.

Thank you.

1 Like

Thank you @rueben.tiow

found it !
I was not adding the permission … only Authorizing the application.

Thank you.

1 Like

Hi @juan.garbora,

Great to hear that it works now. We’ve all been there!

Please don’t hesitate to let me know if you have any other questions or concerns. I’d be happy to help!

Have a great rest of your day!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.