M2M JWTs and Flutter native application JWT with scopes

Hello All,
I am currently using auth0 authentication in my flutter application for login. So far it returns an access token and ID Token which I have got to have the payload of user name, email, profile pic etc. I am trying to use auth0 actions to include a users permission scopes but this is proving very tough. I am using a native Application in auth0 for the authentication but I have had success making curl requests to a machine-machine api in auth0 and returning user scopes. I am trying to get JWTs issued in some way weather thats via a Auth0 action for the native login to call the M2M API and get a JWT token or for the native app to issue JWTs with scopes either or, my API validates JWTs perfectly issued from the M2M API so I just need to find a way around this roadblock. This is the code in flutter for some background :

`// AuthService.dart
import ‘package:auth0_flutter/auth0_flutter.dart’;

class AuthService {
late final Auth0 auth0;

AuthService() {
auth0 = Auth0(“toothtrack.uk.auth0.com”, “msGZeRYVaru9GhEE1bF4lCC3qRQD1MCQ”);

// Updated to return a Map containing both the Access Token and ID Token.
Future<Map<String, String?>> login(String scheme) async {
try {
final result = await auth0.webAuthentication(scheme: scheme).login();
if (result.accessToken != null && result.idToken != null) {
print(“Access Token: ${result.accessToken}”);
print(“ID Token: ${result.idToken}”); // Assuming ID token is now accessible
return {
‘accessToken’: result.accessToken,
‘idToken’: result.idToken, // Store the ID token
} else {
return {};
} catch (e) {
print(“Login error: $e”);
return {};

Future logout(String scheme) async {
try {
await auth0.webAuthentication(scheme: scheme).logout();
print(“Logout successful.”);
} catch (e) {
print(“Logout error: $e”);
And the Auth0 Action :function (user, context, callback) {
// Access user data from the rule context
const { roles } = user; // Assuming user object contains roles

// Modify the ID token payload
context.idTokenClaims = {
…context.idTokenClaims, // Keep existing claims
permissions: roles, // Add user permissions as “permissions” claim

callback(null, user, context); // Pass modified user and context
` I am hoping for someone to point me in the right direction. Thanks in advance.

Hey @connor.caunt !

Just to confirm here - You are indeed getting an ID token and access token in your app successfully, but you are unable get a user’s permissions in their ID token? Can you help me understand the need for a user’s permissions in the ID token? Typically, permissions should be added to the access token which is subsequently used against an API.

The more detailed use case description you can provide the better :slight_smile:

Yes I am getting an ID token and Access token, this screenshot might help.

So if we use jwt.io to see contents of the ID token the payload is : “{
“nickname”: “conrad1002442”,
“name”: “conrad1002442@icloud.com”,
“picture”: “https://s.gravatar.com/avatar/5b072b873b3e569a77823c0373e812ec?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fco.png”,
“updated_at”: “2024-02-27T10:17:46.052Z”,
“email”: “conrad1002442@icloud.com”,
“email_verified”: false,
“iss”: “https://toothtrack.uk.auth0.com/”,
“aud”: “msGZeRYVaru9GhEE1bF4lCC3qRQD1MCQ”,
“iat”: 1709029069,
“exp”: 1709065069,
“sub”: “auth0|65db915e0fcb091d7b1d17b1”,
“sid”: “GdQAojJ2HJ6iNC6rABkqZdQpkSsCLJWf”

The payload of the JWT Bearer token from my Machine to Machine Auth0 API is : “{
“iss”: “https://toothtrack.uk.auth0.com/”,
“sub”: “7M3oNO5J6U2xyPPElxuu0GTzmJN3UDR0@clients”,
“aud”: “https://toothtrack.live”,
“iat”: 1709029264,
“exp”: 1709115664,
“azp”: “7M3oNO5J6U2xyPPElxuu0GTzmJN3UDR0”,
“scope”: “read:patients”,
“gty”: “client-credentials”,
“permissions”: [
}” So the access token returned by Auth0 to my Flutter app doesn’t include User permissions or scopes which of course is my big issue. The app needs a JWT with scopes to validate requests to my API, hence it’s configured to use my Auth0 M2M API JWT Bearer tokens but this cant be used for a native app login from auth0. I hope that makes slightly more sense, the app authenticates users with auth0 and stores the token to be used for calls to the API.

1 Like

Thanks for the extra context :slight_smile:

Are you using RBAC? The 3rd section in the linked doc discusses enabling a setting to add permissions to access tokens - Perhaps that is what you’re looking for?

1 Like

Thanks for your response again. But can RBAC be included in the Access and ID tokens returned to a flutter app after using an Auth0 native app login?

No, that setting adds permissions to access tokens only - If you need permissions in ID tokens you’ll need to do so manually:

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.