Not Receiving Permissions in Access Token with Auth0 and Spring Boot

I’m working on a Spring Boot application and using Auth0 for authentication and authorization. My goal is to secure certain API endpoints with varying permission levels.

Despite setting up Role-Based Access Control (RBAC) on my Auth0 API and enabling the setting to include permissions in the access token, I’m not seeing the permissions in the JWT access tokens received by my Spring Boot app.

I’ve checked that the scope in my Spring Boot file includes openid, profile, and email and have confirmed that the access token does contain these claims. However, the permissions claim remains null. Here’s an example of the decoded access token JWT I’m receiving:

Key: sub, Value: TpkuBtHOvatLWNHbBNbxQKHK1ak6Srk6@clients
Key: aud, Value: [https://phub-JWT]
Key: azp, Value: T
Key: iss, Value:
Key: exp, Value: 2023-06-14T17:47:28Z
Key: iat, Value: 2023-06-13T17:47:28Z
Key: gty, Value: client-credentials
Permissions: null

I’ve tried different scopes in my file without success. My Auth0 setup includes the following:

  1. Auth0 Application is set as a “Regular Web Application”.
  2. Auth0 API has RBAC enabled and “Add Permissions in the Access Token” is checked.
  3. Users in my Auth0 tenant have roles assigned with the appropriate permissions.

My application is using the Authorization Code flow and I’m correctly requesting the access token with the audience parameter set to my Auth0 API identifier.

I believe this line indicates the wrong authorization flow is occurring but I’m not certain.

Key: sub, Value: TpkuBtHOvatLWNHbBNbxQKHK1ak6Srk6@clients

And below my application properties for reference,profile,email,VIEWER

Hi @Stark-Code,

Welcome to the Auth0 Community!

The token you shared here is for the Client Credentials Grant. This grant type is a user-less grant, and isn’t a user’s access token.

How are you logging the user in and retrieving the user’s token?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.