I’m working on a Spring Boot application and using Auth0 for authentication and authorization. My goal is to secure certain API endpoints with varying permission levels.
Despite setting up Role-Based Access Control (RBAC) on my Auth0 API and enabling the setting to include permissions in the access token, I’m not seeing the permissions in the JWT access tokens received by my Spring Boot app.
I’ve checked that the scope in my Spring Boot
application.properties file includes
Key: sub, Value: TpkuBtHOvatLWNHbBNbxQKHK1ak6Srk6@clients Key: aud, Value: [https://phub-JWT] Key: azp, Value: T Key: iss, Value: https://dev-.us.auth0.com/ Key: exp, Value: 2023-06-14T17:47:28Z Key: iat, Value: 2023-06-13T17:47:28Z Key: gty, Value: client-credentials Permissions: null
I’ve tried different scopes in my
application.properties file without success. My Auth0 setup includes the following:
- Auth0 Application is set as a “Regular Web Application”.
- Auth0 API has RBAC enabled and “Add Permissions in the Access Token” is checked.
- Users in my Auth0 tenant have roles assigned with the appropriate permissions.
My application is using the Authorization Code flow and I’m correctly requesting the access token with the
audience parameter set to my Auth0 API identifier.
I believe this line indicates the wrong authorization flow is occurring but I’m not certain.
Key: sub, Value: TpkuBtHOvatLWNHbBNbxQKHK1ak6Srk6@clients
And below my application properties for reference