Auth0 Home Blog Docs

Retrieving Authorization extension permissions from the ID token via the /oauth/token endpoint

authorization-extens
permissions
resource-owner-passw

#1

I’ve been having a hell of a time trying to get permissions to appear in the ID token of the response that comes back from the /oauth/token endpoint when using Resource Owner Password flow.

From what I understand, if you go to the Auth0 Authorization extension and configure it to pass Permissions through the Token Contents (taking care to click Publish), the user’s permissions should just appear in the ID token when the user logs in via the /oauth/token endpoint. I’ve tried playing around with specifying “permissions” as a scope in the /oauth/token request and that still doesn’t seem to help.

Have I understood this correctly? The only way I can seem to retrieve permissions for a user is if I use the old /oauth/ro and /tokeninfo endpoints, which I don’t want to do.


#2

As you have stated the behavior available in the now legacy endpoints would allow for the information set by the rule to be available almost automatically; for the case of the token itself I believe you would still have to require the permissions as a scope value.

However, none of the roles, groups and permissions data are standard OpenID Connect (OIDC) information and as such there’s also no corresponding scope value that would allow to request that information to be included in the ID token.

Since the /oauth/token endpoint provides responses compliant to the OIDC specification the previously available mechanism to include the permissions in the token no longer applies. However, the extension itself still implies that as the legacy endpoints are still available.

If you wan to include custom information in the ID token issued as part of an OIDC compliant flow then you’ll need to use custom claims and set those custom claims in a rule. Given you already have a rule (from the extension) that sets the permissions information at the user object level, you should be able to accomplish what you want by creating an additional rule that runs after the extension one and that has the following logic:

function (user, context, callback) {
  const namespace = 'https://app.example.com/';
  context.idToken[namespace + 'permissions'] = user.permissions;

  callback(null, user, context);
}

#3

Thanks for that @jmangelo, your suggestion worked. I had encountered this code in some of your documentation in relation to adding custom claims to OIDC tokens in the past, although I hadn’t realised I needed to implement this to get the Auth0 Authorization extension working with the /oauth/token endpoint. The impression I had gotten from the Authorization Extension documentation was that it should just work once you configure it to pass through permissions to the ID_Token. Unless I missed something, I’d imagine this documentation needs to be updated.


#4