Permissions in JWT always empty

pinalto · June 26, 2021, 4:11am

Hi there,
i’m trying to secure my API with RBAC.

On Auth0 dashboard i’ve created an Web-App and an API, authorize the App to use this API,
added some permissions to the API and enabled RBAC Setting,

created a role with a permission of the API,
assigned this role to a user,
logged in to the App with this user.
As this App retrieved a token for this API from endpoint /oauth/token with params:

{
  "client_id":"<app-id>",
  "client_secret":"<app-secret>",
  "audience":"https://test.app/api/test",
  "grant_type":"client_credentials"
}

, the permissions claim of the returned JWT is empty. What is wrong or is any configuration missing?

The JWT is like this:

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "********"

  "iss": "https://***.auth0.com/",
  "sub": "**************@clients",
  "aud": "https://test.app/api/test",
  "iat": 1624679108,
  "exp": 1624679168,
  "azp": "**************",
  "gty": "client-credentials",
  "permissions": []
}

dan.woda · June 28, 2021, 7:54pm

Hi @pinalto,

Welcome to the Community!

When you request a token with the client credentials grant, you are not requesting the token on behalf of a user. That grant is used for machine-to-machine (M2M) access.

To get the permissions associated with the user’s roles in the token, you will need to log in as the user. Try logging in as the user with one of our sample apps.

system · July 13, 2021, 7:55pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.