Permission claim empty if logging on using Organization - still unresolved

Permission claim in token is empty when logging on to an application as an organization team member.

Unfortunately this ticket has been closed without a real solution/fix to the bug. It’s been 3 months and I’m facing the exact same issue. Would prefer a real fix than this workaround.

Thanks

Hello,

Permission claim in token is empty when logging on to an application as an organization team member.

When accessing the application as an individual, the permission claim is populated.

RBAC is enabled and include permission in access token is enabled. The permission claim exists in the token in both cases, however for the organization the permission array is empty.

Is this a bug or is it intended?

Thank you,
Nils

1 Like

Hi @PatrickHeneise

Thanks for reaching out to the Auth0 Community!

My apologies for not getting back to you sooner. And yes, normally topics are automatically closed after 15 days from the last reply.

Now, after my investigation, I found that there were no issues with getting the permissions added to the access token when authenticating with Organizations.

I believe what happened involved the user only being assigned to those Permissions globally on their user profile (non-organization), instead of having them assigned as an Organization member. The difference is subtle, but it determines whether the Permissions claim is added to the access token.

For example:

  • If we assign the user with the read:reports update:reports permissions to the user profile through the Auth0 Dashboard > User Management > Users > Roles, then when authenticating through an organization, the access token will not have these permissions. It will have these permissions if the authenticating regularly without the org_id.

  • If we assign the users with the read:reports update:reports permissions on the Members section of the Auth0 Dashboard > Organizations > Members > Assign Roles, then when authenticating through an organization, the access token will have these permissions. It will not have these permissions if authenticating regularly without the org_id.

I recommend following the steps outlined in our Add Roles to Organization Members documentation.

I hope the explanation helps!

Please let me know if I can help you with anything else.
Thanks,
Rueben

1 Like

Thanks Rueben! That was it. I didn’t realize there are two different permission/role implementations there.

1 Like

Thank you for the explanation! We ran into the same issue.

Like you said, the difference is subtle, and I would argue non-intuitive. I think I understand why there needs to be a difference, but I think you need to surface it in the documentation and console more clearly.

The console uses this language for roles: “List of roles this user has.” It’s reasonable to think those apply when they log in using an organization as well. Below is a screenshot from your documentation, for permissions rather than roles.

None of this documentation mentions it:

Thank you for the thorough explanation!

2 Likes

Hi,

I agree. I’ve just encountered the same issue and thankfully I found the answer here otherwise I’d have struggled.

1 Like

Linking to the documented FAQ found here:

We use both Native Applications for internal tools and SPAs for our web apps, and it doesn’t look like Organizations are supported on Native Applications yet. (EDIT: it’s Device Authorization flow that isn’t supported, not Native Applications)

For that reason, and to avoid this confusion, I am trying to write an Action that keeps global roles in sync with organization roles. I am guessing nothing like this exists yet, but it would be really useful if there’s an existing extension or option that would do this automatically. Is there?

Hi @tim.becker,

Using Organizations in Native Applications should be possible. I recommend checking out our Organization Limitations documentation for the complete list of limitations.

That’s a great idea to use an Action script to sync the global and Organization roles :clap:!

And that is correct, there currently isn’t an extension that can keep the global and Organization roles in sync. Because they are distinct Roles referring to different scenarios, the best option to keep them in sync is using a Post-Login Action as you have found.

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.