Multiple audiences (/userinfo and custom API) with Social Login

Hi!

I’m currently using a setup where I set my audience to my custom API and specify ‘openid’ in the scope so I can get multiple audiences (i need access to /userinfo) (documented feature https://auth0.com/docs/tokens/guides/get-access-tokens : Multiple Audiences) and this works fine. However, when I use the social login any other extra scopes (custom permissions for my API) are stripped away (ex: requested ‘openid profile email read:posts’ and got back ‘openid profile email’; read:posts is defined permission in my custom API). I’m not sure why :\ I need some help figuring this one out.

Thanks!

Hi @IAmTheVex

Have you enabled RBAC for your API?

This should then add all permissions for the user in the access token even if the authentication is performed at an external provider. A couple of caveats though:

  1. Including permissions in the Access Token allows you to make minimal calls to retrieve permissions, but increases token size.
  2. Remember that any configured rules run after the RBAC-based authorisation decisions are made, so they may override default behaviour.
1 Like

It actually works fine with Database connection. The issues appear when i use Social Login.

Thanks alot!

Hi @IAmTheVex,

Could you detail/confirm your use case/expected user journey a bit more please? For example:

  1. User signs up with Social Account
  2. User is assigned permissions (read:posts) to your API
  3. User logs in with social account and they then should have the permissions (read:posts) in their access token to your API
1 Like

Hi @andy.carter ! Sure!

  1. The user clicks the login/sign-up button and is redirected to the Auth0 login/register flow.
  2. The user picks a social login method and is redirected to that provider to continue with authentication.
  3. Auth0 does it’s magic here.
  4. The user is redirected to the callback url with the code that is exchanged for an access token that has the scope of openid, email, profile, read:posts (custom permission) and the audience of my API and also the /userinfo endpoint. (this is a documented feature, check my initial post).
  5. The app makes requests to the backend API with this token and also to the /userinfo endpoint.

This flow works without a problem when the social login is replaced by a simple email/password login. I think what’s happening is that the social login considers “read:posts” to be a provider specific permission and does not check for a custom API permission.

Here is an example of the decoded auth token with and without social login:

{
iss: ‘https://########.eu.auth0.com/’,
sub: ‘google-oauth2|##########’,
aud: [
‘core-services/api/graphql’,
‘https://########.eu.auth0.com/userinfo’
],
iat: 1589877345,
exp: 1589884545,
azp: ‘########’,
scope: ‘openid profile email’,
permissions: []
}

{
iss: ‘https://########.eu.auth0.com/’,
sub: ‘auth0|##########’,
aud: [
‘core-services/api/graphql’,
‘https://#########.eu.auth0.com/userinfo’
],
iat: 1589894672,
exp: 1589901872,
azp: ‘###########’,
scope: ‘openid profile email read:posts’,
permissions: [ ‘read:posts’ ]
}

The requested audience is ‘core-services/api/graphql’ and the requested scope is ‘openid profile email read:posts’.

Thanks a lot!
//Laurentiu.

Also, i don’t have configured any rules.

@andy.carter quick update.

If i create a role and assign that role to a user, then request the scope with the same permissions as the role, seems to work.

This will be fine for now, still looking for a solution to this issue tho’.

Thanks!
//Laurentiu.

Hey @IAmTheVex,

Thanks for the additional info!

The step I thought you were doing was to assign the permission to the user before requesting the read:posts scope. Authenticating via Google without this permission being assigned to the user and RBAC being enabled wouldn’t return this scope as Google has no knowledge of it and it’s not applicable to Google.

You’re actually on the right lines with your last post! My suggestion would be to create a default role with the required permission(s) to your API, then use a rule to add the default role to the user on first login, by calling the management API:

There is an example rule here:

This will need to be done in a rule rather than the Post Registration Hook as the Post-User Registration extensibility point is only available for Database Connections and Passwordless Connections.

@andy.carter i’ve tried that rule and actually managed to add the “default” role to my users on the first login… my only problem now is that this seems to happen async, so it would first prompt my user to grant access to profile and email and by the time my callback is called and i have any chance to exchange the code for the token, the role will be added and i will be blocked by a consent_required error (because the scope has changed in the meantime) and so, on the second login attempt i am prompted with the new permissions request (ex: for “read:posts”) and after that it all works ok.

This flow is not desired… is there another way to add this role, or to maybe make the rule pause the authentication until the role is added?

Thanks a lot! Your help was very useful.
//Laurentiu.

@andy.carter I’ve got it to work… seems like mindlessly copying code is not the best idea.

Thanks a lot for your support!
//Laurentiu.

1 Like

Hey @IAmTheVex,

Excellent news that it’s working!

Glad I could help, thank you! :slight_smile:

1 Like

Teamwork makes the dream work!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.