No roles in token

I’m trying to get roles added as a claim to my JWT, but so far they are not coming through. This is what I have done:

  1. I have added the Authorization Extension
  2. In the extension, created a role and added a user to it
  3. In the extension configuration, under rules configuration, flipped the switch for roles:
  4. Clicked publish
  5. In my control panel, verified that the rule got created
  6. When I run the rule, change the user details to my test users, the roles array still comes back blank.

As an aside, I’m fairly certain when I tested this earlier it was not blank, but then when I log in with my SPA (Angular) the roles array itself was absent from the token.

What am I missing? I’ve followed the documentation and read posts in here, but would be happy to be pointed at a more detailed step by step approach. With that said it’s not a greenfield application so I’ve had to interpret it as best I can in a lot of cases for my existing scenario.

Hi @mattgoldman,

I haven’t used the authz extension in a while but I believe that toggle just saves role data in the user’s profile (user.app_metadata.authorization). If you want to add that same data to your ID token you need to create another rule that does that. This might help:

Hi @markd, thanks for the response. I think this is the toggle that saves the role data:

But just for fun I’ve now got both on.

Also thanks for the doc - that seems to suggest that you need to configure your application in the dashboard to assert that roles (and which roles) are required, which I suppose then necessitates their inclusion in the token.

I have followed those steps, and this doesn’t seem to have made a difference. However, I did spot this:

I wonder if the problem is with my login process. Is this something I should configure in my client, here for example?

image

Thanks again

I believe that is correct. When you log in, you will get back a combination of the scopes you request (and are allowed to request) and any additional attributes you manually add to the ID and / or access tokens.

And you are right, it is the second toggle that persists the data in the user’s profile. Note that this is implemented in a rule which means the data in the user’s profile is only added / updated during login events.

If I remember correctly, our setup was very basic. We persisted the data in the user’s profile and then manually added it to our tokens. I don’t think we used the ‘authz object in rules’ feature.

Thanks Mark, appreciate the response. I think another problem was that I was testing on the free tier which doesn’t’ support roles. I’ve subsequently switched this to one of the paid tiers that includes it. Next step is to figure out how I request these in my login config, although in the meantime when I run the ‘test rules with username and password’ I do now get the roles array, but they are still blank.

I am going to log a support ticket and will post findings back here when it gets resolved.

1 Like

You are probably aware of this but just to make sure, there are two “RBAC” options in Auth0 today. The Authorization Extension, which is where your screenshots come from, and “authorization core”, which is a relatively new feature that is built in to Auth0. I suspect authz core will eventually replace the authz extension altogether, though I don’t know that for sure. Sometimes the two services can cause some confusion.

In either case the usual way to get profile data into your ID tokens and / or access tokens is to write a Rule. For the authz extension you can either access it’s API or persist the data in the user profile and pull from there. For authz core you can get the data from the management API.

Greetings - I am using angular client sample/code - I’m unable to receive roles - tips please :slight_smile:

+1 This - Receiving Roles on angular/client auth is critical and i don’t see any resources from Auth0 for making this possible. When will this concern be addressed - I wish to receive assigned roles when client auths.

What do you mean when you say you are “unable to receive roles”? What have you done so far that is not working?

Are you using authorization core, the authorization extension, or a DIY solution?