Permissions not included in access token for MFA flow

drew11 · February 11, 2021, 5:11pm

We are trying to enable MFA for certain users. We leverage roles/permissions but we have noticed that when a user goes through the MFA flow, the permissions array is not included in the access token. How can we have MFA and have permissions included in the access token?

stephanie.chamblee · February 12, 2021, 7:42pm

Hi @drew11,

Welcome to the Community!

I just tried this out with a rule using the Guardian and also using email MFA, and I seem to be getting a role added to the token. I probably don’t have quite the same setting to recreate this. Which type of MFA are you using (email, phone message, Guardian, etc.)? Also, would you mind sending the code from your rule that adds the role/permissions array to the token?

My rule that adds the role to the ID Token and Access Token:

function (user, context, callback) {
  const namespace = 'http://demozero.net';
  const assignedRoles = (context.authorization || {}).roles;

  let idTokenClaims = context.idToken || {};
  let accessTokenClaims = context.accessToken || {};

  idTokenClaims[`${namespace}/roles`] = assignedRoles;
  accessTokenClaims[`${namespace}/roles`] = assignedRoles;

  context.idToken = idTokenClaims;
  context.accessToken = accessTokenClaims;

  callback(null, user, context);
}

Thanks!

drew11 · February 16, 2021, 6:33pm

Hi,

We are trying to use SMS for MFA. Currently without MFA, we do not use a rule to add permissions. In our settings for our API, we have the following settings on “Enable RBAC” and “Add Permissions in the Access Token.” Enabling those added a “permissions” key with all of the users permissions to the access key. However, when a user logins using MFA, that “permissions” key is missing.

stephanie.chamblee · February 16, 2021, 8:32pm

Thank you for clarifying how the permissions are added to the token! I tried setting up an API in my tenant with RBAC enabled and “Add Permissions in Access Token” enabled, and I’m seeing the permissions property in the token with or without MFA. Unfortunately, I’m having trouble recreating the issue.

In order to take a deeper look to see what might be going on, would you mind sending me a HAR file in a direct message? Generate and Analyze HAR Files

Thanks!

vitaliy.obideyko · March 4, 2021, 7:33pm

Hi! I have exactly the same problem
Did you find any solution for this weird problem?

vitaliy.obideyko · March 9, 2021, 11:08am

Issue was on Auth0 side. And now it have been fixed on their side

Saltuk · March 9, 2021, 11:32am

As @vitaliy.obideyko mentioned, the issue with the permissions claims when implementing the resource owner flow with the MFA API has been resolved. The Universal Login flow was already working as expected.

system · March 24, 2021, 11:32am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.