Merge scope and permissions in scope in a rule

Hello everybody,

As in subject, I have the need to merge in a rule scope and permissions in the scope member of the access token

{
    "scope" : "openid profile email",
    "permissions" : [ "do:something-cool" ]
}
// to
{
    "scope" : "openid profile email do:something-cool"
}

more particularly, I don’t find at all any reference to the permissions array in any rule, but I have it in the final access token.
so far i have tried everything and I cannot find an answer, can anyone help?

1 Like

Hi @a.sanino

As it stands right now, the RBAC core does not provide access to the calculated permissions on the context object while rules execute, so you’ll have to do the merge in your app/API when processing the token.

While not exactly what you are after, if you set the API like this:

the scope will be the intersection of scopes requested and permissions allowed for the user. But the client application still needs to requests all the scopes it wants and then get only the scopes allowed for the user.

Thank you, this perfectly solves my problem :wink:

1 Like

Related, however I’m marking Nicolas answer as solution for now, since it solved the OP problem:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.