Not Receiving Permissions in Access Token with Auth0 and Spring Boot

Stark-Code · June 14, 2023, 4:52pm

I’m working on a Spring Boot application and using Auth0 for authentication and authorization. My goal is to secure certain API endpoints with varying permission levels.

Despite setting up Role-Based Access Control (RBAC) on my Auth0 API and enabling the setting to include permissions in the access token, I’m not seeing the permissions in the JWT access tokens received by my Spring Boot app.

I’ve checked that the scope in my Spring Boot application.properties file includes openid, profile, and email and have confirmed that the access token does contain these claims. However, the permissions claim remains null. Here’s an example of the decoded access token JWT I’m receiving:

Key: sub, Value: TpkuBtHOvatLWNHbBNbxQKHK1ak6Srk6@clients
Key: aud, Value: [https://phub-JWT]
Key: azp, Value: T
Key: iss, Value: https://dev-.us.auth0.com/
Key: exp, Value: 2023-06-14T17:47:28Z
Key: iat, Value: 2023-06-13T17:47:28Z
Key: gty, Value: client-credentials
Permissions: null

I’ve tried different scopes in my application.properties file without success. My Auth0 setup includes the following:

Auth0 Application is set as a “Regular Web Application”.
Auth0 API has RBAC enabled and “Add Permissions in the Access Token” is checked.
Users in my Auth0 tenant have roles assigned with the appropriate permissions.

My application is using the Authorization Code flow and I’m correctly requesting the access token with the audience parameter set to my Auth0 API identifier.

I believe this line indicates the wrong authorization flow is occurring but I’m not certain.

Key: sub, Value: TpkuBtHOvatLWNHbBNbxQKHK1ak6Srk6@clients

And below my application properties for reference
spring.security.oauth2.client.registration.auth0.authorization-grant-type=authorization_code

spring.security.oauth2.resourceserver.jwt.issuer-uri=https://dev-u.us.auth0.com/

spring.security.oauth2.client.registration.auth0.client-id=T

spring.security.oauth2.client.registration.auth0.client-secret=h

spring.security.oauth2.client.registration.auth0.scope=openid,profile,email,VIEWER

spring.security.oauth2.client.provider.auth0.issuer-uri=https://dev.us.auth0.com/

spring.security.oauth2.resourceserver.jwt.public-key-location=/dev.pem

dan.woda · June 23, 2023, 12:02pm

Hi @Stark-Code,

Welcome to the Auth0 Community!

The token you shared here is for the Client Credentials Grant. This grant type is a user-less grant, and isn’t a user’s access token.

How are you logging the user in and retrieving the user’s token?

system · July 25, 2023, 4:36pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
RBAC Core - Access Token does not contain permissions in the scope with spring boot Help jwt , auth0 , spring-boot	7	5315	October 6, 2021
Assistance Required: Permissions Missing in Access Token for Custom API in Auth0 Help management-api , grants	1	431	March 5, 2024
Authorization Core setup Help apis , application	5	288	May 15, 2024
Lab: Role Based Access Control in Spring Boot Developer Hub authentication , java , spring-boot , rbac	4	1057	August 19, 2024
Auth0 JWT doesn't have requested API Scopes Help jwt , scopes	10	4401	September 4, 2021

Not Receiving Permissions in Access Token with Auth0 and Spring Boot

Related Topics