RBAC Core - Access Token does not contain permissions in the scope with spring boot

Hello Auth0 community!

I’m new to Auth0, but not new to OAuth concepts, and I have a pretty frustrating issue at the moment. I have a spring web application that uses the authorization_code flow to authentication and users.

My application uses the RBAC Core feature, and i’m struggling real hard to access the user permissions in the IdToken at the moment of authenticating.

What I did so far

  1. I went on and created a role “Super Admin” just to test.
  2. From there, I created new permissions that I assigned to this role.
  3. I then created a user to which I assigned the role I just created
  4. Finally, I went into the API I created for my application, and toggled on the RBAC management

Now, in my application, I requested the scopes for my permissions. However, the output token I get doesn’t contain the user’s permissions in the “scopes” output, and also doesn’t contain the “permissions” claim in the output.

Here is the IdToken I get if you wish to know

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlBFMnFKTE52ZjhoUXBZd3JHY0RxRCJ9.eyJuaWNrbmFtZSI6InN1bm55LnBlbGxldGllciIsIm5hbWUiOiJTdXBlciBBZG1pbiIsInBpY3R1cmUiOiJodHRwczovL3MuZ3JhdmF0YXIuY29tL2F2YXRhci9mYTY5MTJlYzNmOTA5OWIzMzZiOWM0ZjgwMjYxMzVjNT9zPTQ4MCZyPXBnJmQ9aHR0cHMlM0ElMkYlMkZjZG4uYXV0aDAuY29tJTJGYXZhdGFycyUyRnN1LnBuZyIsInVwZGF0ZWRfYXQiOiIyMDIxLTA5LTE0VDIwOjU3OjQ1LjU3N1oiLCJlbWFpbCI6InN1cGVyYWRtaW5AcW9oYXNoLWFkbWluLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiaXNzIjoiaHR0cHM6Ly9xb2hhc2gudXMuYXV0aDAuY29tLyIsInN1YiI6ImF1dGgwfDYxNDBlMzhkMjA2MWM4MDA2ODhiYWFhZCIsImF1ZCI6IlZHQWE5WXcxTmd2R3M1cU04WHZrY0t6NG43MzlBS3dWIiwiaWF0IjoxNjMxNjUzMDY2LCJleHAiOjE2MzE2ODkwNjYsIm5vbmNlIjoiWDZPSk1FaWlFbEtIbjF0ZzQwVmFQbHBybzRDQ2pxbmpBN1hIai0tdy0yQSJ9.RgwXf0IPLpNhSl_SNmcnxbPgNwj-BgKeVw69cGhJ2guWftIBb0Lkec6hp-RyIFqhyjKLGLguJKgqsmuHaDreEUh1SnaPuZpF0RXvBArlmUhuhp8bVljgboQYxVAd1luO58aivXgYlwrJf51uUNRg3MNjfd0xSg6hjNa2eAiZiaqSrZdvYF3SSo3RRFbrt-eaYDfTLzCJX2aNkAng5bRoVwO1YzWp2JtTlrPbrIFJY13ZcdzwFfz8NGH9QXnghze2fdzmtmsfSe8TgXIb5o7tzBkA8bfi30Ut-yJKqJw9KkPgMuHFqNIWnAMBb-3X0yVtGxTGzlGW8LO_bVwa5f0UXg

I even tried logging the user and the context by using a rule and debugging the output logs. Here’s what I get:

Not a trace of the user permissions in neither the context nor the user… So i’m really starting to wonder what I did wrong :thinking:

Anyway, sorry for the long post, and thanks a lot in advance for the help!

Hi @sunny.pelletier

Permissions will be in the access token, not the ID token.

John

1 Like

My mistake. The access token does not contain the permissions in the scope list either.

In spring, the user’s authority list is populated by the “scope” field returned when fetching the access token. The scope I get in the response is

"scope":"openid profile email"

Even though I did request “all the permissions + openid + profile + email” I don’t get the permissions from Auth0. Are permissions supposed to be added as scopes? What am I missing?

After hours of debugging, I found the reason. Auth0 require you to pass an audience parameter for the authorization code flow if you want this to work. Since there is no way to do that in spring, the trick is to pass it as a query parameter.

        return ClientRegistrations
            .fromIssuerLocation(url)
            .registrationId(name)
            .clientId(clientId)
            .clientSecret(clientSecret)
            .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
            .authorizationUri(
                UriComponentsBuilder.fromHttpUrl(url)
                    .queryParam("audience", "your-api-identifier")
                    .build()
                    .toUriString()
            )
            .scope(
                "openid",
                "profile",
                "email",
                "my.custom.permission"
            )
            .build()

and that’s it. This is not described anywhere in the tutorial for the spring setup at the moment, so would this require an update?

Hi @sunny.pelletier

Good find! You should always include an audience in your access token request, that is probably why it is not highlighted in the tutorial.

If you do not include an audience you get an opaque access token back, which is not a JWT, so you can’t even decode it.

John

1 Like

I finished by figuring it out, but it was not so obvious when it’s your first time using Auth0.

The other challenge was also to figure out how to pass the audience parameter out. Spring has no easy way to customise the request body during the exchange, but fortunately, using the request parameter worked.

Maybe it would be worth highlighting it in the tutorial.

Thanks for the support!

1 Like

Perfect! Glad it’s working now!