RBAC Core - Access Token does not contain permissions in the scope with spring boot

Hello Auth0 community!

I’m new to Auth0, but not new to OAuth concepts, and I have a pretty frustrating issue at the moment. I have a spring web application that uses the authorization_code flow to authentication and users.

My application uses the RBAC Core feature, and i’m struggling real hard to access the user permissions in the IdToken at the moment of authenticating.

What I did so far

  1. I went on and created a role “Super Admin” just to test.
  2. From there, I created new permissions that I assigned to this role.
  3. I then created a user to which I assigned the role I just created
  4. Finally, I went into the API I created for my application, and toggled on the RBAC management

Now, in my application, I requested the scopes for my permissions. However, the output token I get doesn’t contain the user’s permissions in the “scopes” output, and also doesn’t contain the “permissions” claim in the output.

Here is the IdToken I get if you wish to know

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlBFMnFKTE52ZjhoUXBZd3JHY0RxRCJ9.eyJuaWNrbmFtZSI6InN1bm55LnBlbGxldGllciIsIm5hbWUiOiJTdXBlciBBZG1pbiIsInBpY3R1cmUiOiJodHRwczovL3MuZ3JhdmF0YXIuY29tL2F2YXRhci9mYTY5MTJlYzNmOTA5OWIzMzZiOWM0ZjgwMjYxMzVjNT9zPTQ4MCZyPXBnJmQ9aHR0cHMlM0ElMkYlMkZjZG4uYXV0aDAuY29tJTJGYXZhdGFycyUyRnN1LnBuZyIsInVwZGF0ZWRfYXQiOiIyMDIxLTA5LTE0VDIwOjU3OjQ1LjU3N1oiLCJlbWFpbCI6InN1cGVyYWRtaW5AcW9oYXNoLWFkbWluLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiaXNzIjoiaHR0cHM6Ly9xb2hhc2gudXMuYXV0aDAuY29tLyIsInN1YiI6ImF1dGgwfDYxNDBlMzhkMjA2MWM4MDA2ODhiYWFhZCIsImF1ZCI6IlZHQWE5WXcxTmd2R3M1cU04WHZrY0t6NG43MzlBS3dWIiwiaWF0IjoxNjMxNjUzMDY2LCJleHAiOjE2MzE2ODkwNjYsIm5vbmNlIjoiWDZPSk1FaWlFbEtIbjF0ZzQwVmFQbHBybzRDQ2pxbmpBN1hIai0tdy0yQSJ9.RgwXf0IPLpNhSl_SNmcnxbPgNwj-BgKeVw69cGhJ2guWftIBb0Lkec6hp-RyIFqhyjKLGLguJKgqsmuHaDreEUh1SnaPuZpF0RXvBArlmUhuhp8bVljgboQYxVAd1luO58aivXgYlwrJf51uUNRg3MNjfd0xSg6hjNa2eAiZiaqSrZdvYF3SSo3RRFbrt-eaYDfTLzCJX2aNkAng5bRoVwO1YzWp2JtTlrPbrIFJY13ZcdzwFfz8NGH9QXnghze2fdzmtmsfSe8TgXIb5o7tzBkA8bfi30Ut-yJKqJw9KkPgMuHFqNIWnAMBb-3X0yVtGxTGzlGW8LO_bVwa5f0UXg

I even tried logging the user and the context by using a rule and debugging the output logs. Here’s what I get:

Not a trace of the user permissions in neither the context nor the user… So i’m really starting to wonder what I did wrong :thinking:

Anyway, sorry for the long post, and thanks a lot in advance for the help!

Hi @sunny.pelletier

Permissions will be in the access token, not the ID token.

John

My mistake. The access token does not contain the permissions in the scope list either.

In spring, the user’s authority list is populated by the “scope” field returned when fetching the access token. The scope I get in the response is

"scope":"openid profile email"

Even though I did request “all the permissions + openid + profile + email” I don’t get the permissions from Auth0. Are permissions supposed to be added as scopes? What am I missing?

After ours of debugging, I found the reason. Auth0 require you to pass an audience parameter for the authorization code flow if you want this to work.

        return ClientRegistrations
            .fromIssuerLocation(url)
            .registrationId(name)
            .clientId(clientId)
            .clientSecret(clientSecret)
            .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
            .authorizationUri(
                UriComponentsBuilder.fromHttpUrl(tenant.uaa.authorizeUrl)
                    .queryParam("audience", "your-api-identifier")
                    .build()
                    .toUriString()
            )
            .scope(
                "openid",
                "profile",
                "email",
                "my.custom.permission"
            )
            .build()

and that’s it. This is not described anywhere in the tutorial for the spring setup at the moment, so would this require an update?