RBAC Step up Authentication Custom Scopes

I am using an API with RBAC enabled and I am including the permissions in the access token. My problem now is that I need to use mfa when the user wants to withdraw funds from our platform.

Before I turned RBAC on, I could request the custom scope withdraw:funds and then the access token would include this scope, but since I turned RBAC on the access token includes the scopes: openid profile email.

Now my question is how can I include both the permissions from the user and the requested scope in the access token?

I need to use the permission, because the user needs to complete a KYC process before using our platform and I am setting a permission after the user has completed this process.

Hi @gregor1337,

Welcome to the Community!

Have you enabled Add Permission in the Access Token in your API setup?

Let me know and we can go from there!

Hi, yes I’ve enabled that setting. If I enable that I get the permissions in the access token, but once this feature is enabled newly requested scopes through MFA (e.g.: withdraw:funds) is not returned within the access token, only the permission that is set in the user’s account.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Sorry for the delayed response.

I did more digging on this, and found this from the doc:

As long as RBAC is enabled, the scope claim of the access token includes an intersection of the requested permissions and the permissions assigned to the user, regardless of whether permissions are also included in the access token.

If the user does not have the permission withdraw:funds assigned to them, then it wont show up in the token.