Permissions missing from Access Token

I have setup a Vue 2 App based on the Auth0 Spa SDK quickstart and a .net 6 API. I originally set this up in a trial tenant for some proof of concept work. It is all working. I have RBAC turned on with the option to add permissions into the token. On the API side i’m able to do the authorization and check all the permissions, etc.

We now have a paid B2B account so I’ve implemented the same Application and API there along with the users, roles, etc. In this new tenant the access token doesn’t have the permissions that are assigned to the logged in user via their Role. I’ve gone over all the auth0 settings, configs, audience, users, roles, etc many times. I’m not seeing anything different on the things that I can change.

I’m not sure if it is related but I have noticed a behavior difference that might be key. While I’m only dealing with 1st party apps I do the consent screen as expected for localhost. In my working tent the first time a user logs in and consents you are able to the the application user ‘Authorized Applications’ for that user. In the tenant that isn’t giving me permissions the consent screen is presented, accepted the login is successful but the application never shows on the user’s authorized applications. Also that user is never asked for consent again (I’m assuming they should be if the tenant believes they aren’t authorized yet). Again I’m not sure this consent behavior is related but I thought it was worth mentioning.

Any thoughts on what non-obvious thing could be different between these tenants?

Hi @nik.clarkson,

Welcome to the Auth0 Community!

Could you please send me the name of your tenants as a direct message to look into this further?’

And could you please capture the login events in a HAR file and send them in the direct message as well?

Thanks,
Rueben

I sent the info in 2 DMs earlier (one with tenants & one with har file). Not trying to rush a response just making a note here since it doesn’t look like there is a receipt confirmation or way to view DM history.

1 Like

I am still experiencing this issue.

The day after my original post here I opened a support ticket against the paid tenant as well. My understanding that the longest support response for any paid tier is 24 hours. The initial response to that ticket took 2 business days and was a question that concerned information that I had already provided in the original ticket. I am now another 2 business days without a response on the ticket.

I believe I have provided sufficient information, examples and evidence that this is an issue that is out of my control. If the issue is something I can correct then I believe that the provided information & evidence should be more than enough to explain to me any mistake that has been made on my part.

What else can I do to assist in moving this towards resolution?

Hi @nik.clarkson,

After working with you through direct messages on this issue, it seemed that your access token was generated for a different user_id than the initial user_id of the user authenticating.

This would justify why there are no permissions, as there isn’t a user with that user id with any permissions assigned to them.

Looking further, we concluded that you had a Pre-Registration Action that was adding a GUID to the app_metadata and storing it under user_id, which is a restricted property (Reference: Metadata Field Names and Data Types).

This seemed to have overridden the user’s official user_id and caused the access token to be issued to the GUID instead.

Now, at this point, to solve the issue, you would need to update your app_metadata with an empty object first, and then add back the properties you want.

Once that’s complete, the assigned permissions should appear in your access token.

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.