Hello All,
I am currently using auth0 authentication in my flutter application for login. So far it returns an access token and ID Token which I have got to have the payload of user name, email, profile pic etc. I am trying to use auth0 actions to include a users permission scopes but this is proving very tough. I am using a native Application in auth0 for the authentication but I have had success making curl requests to a machine-machine api in auth0 and returning user scopes. I am trying to get JWTs issued in some way weather thats via a Auth0 action for the native login to call the M2M API and get a JWT token or for the native app to issue JWTs with scopes either or, my API validates JWTs perfectly issued from the M2M API so I just need to find a way around this roadblock. This is the code in flutter for some background :
Just to confirm here - You are indeed getting an ID token and access token in your app successfully, but you are unable get a user’s permissions in their ID token? Can you help me understand the need for a user’s permissions in the ID token? Typically, permissions should be added to the access token which is subsequently used against an API.
The more detailed use case description you can provide the better
The payload of the JWT Bearer token from my Machine to Machine Auth0 API is : “{
“iss”: “https://toothtrack.uk.auth0.com/”,
“sub”: “7M3oNO5J6U2xyPPElxuu0GTzmJN3UDR0@clients”,
“aud”: “https://toothtrack.live”,
“iat”: 1709029264,
“exp”: 1709115664,
“azp”: “7M3oNO5J6U2xyPPElxuu0GTzmJN3UDR0”,
“scope”: “read:patients”,
“gty”: “client-credentials”,
“permissions”: [
“read:patients”
]
}” So the access token returned by Auth0 to my Flutter app doesn’t include User permissions or scopes which of course is my big issue. The app needs a JWT with scopes to validate requests to my API, hence it’s configured to use my Auth0 M2M API JWT Bearer tokens but this cant be used for a native app login from auth0. I hope that makes slightly more sense, the app authenticates users with auth0 and stores the token to be used for calls to the API.
Are you using RBAC? The 3rd section in the linked doc discusses enabling a setting to add permissions to access tokens - Perhaps that is what you’re looking for?