Problem statement
The Permission claim in the Access Token is empty when logging in to an application as an Organization team member.
Symptoms
- The Permissions array is empty in the Access Token even after enabling RBAC settings and the Add Permissions in the Access Token toggle.
Cause
- The user was being assigned to those Permissions globally on their user profile (non-organization), instead of having them assigned as an Organization member. The difference is subtle, but it determines whether the Permissions claim is added to the access token.
For example:
-
If we assign the user with the
read:reports
update:reports
permissions to the user profile through the Auth0 Dashboard > User Management > Users > Roles, then when authenticating through an organization, the access token will not have these permissions. It will have these permissions if the authenticating regularly without theorg_id
. -
If we assign the users with the
read:reports
update:reports
permissions on the Members section of the Auth0 Dashboard > Organizations > Members > Assign Roles, then when authenticating through an organization, the access token will have these permissions. It will not have these permissions if authenticating regularly without theorg_id
.
Solution
The recommended solution is to assign the Roles to the user as an Organization member.
Please follow the steps outlined in our Add Roles to Organization Members documentation.