Roles and permissions not added by default

Continuing the discussion from How can I add the permissions claim in my Access Token with Rules?:

Problem statement

  • I have enabled the RBAC as per instructions and want to have both roles and permissions in my token. Currently we use custom claims to add scopes using rules


  • Roles and permissions aren’t added to the token by default, as expected. Token doesn’t contain any of the information assigned to the user through users management page in the dashboard (user definitely has a role assigned, and role has permissions). If I however do add a custom action to post-login flow (that runs after those existing custom scope-assigning rules), same as suggested here I can see the roles in my token, but I cannot add individual permissions as they’re not available through action trigger even object.

Can you please help? I would like this to be as seamless as possible and avoid any custom rules and overrides. Thank you

If everything is working automatically do roles and permissions end up in app_metadata?
because I have that as empty
app_metadata": {
“authorization”: {
“groups”: ,
“roles”: ,

Hi there @milan.milojic !

Thanks for the detailed description of the issue, very helpful!

Assuming you have roles w/ permissions assigned directly to a user AND are including the audience param (API identifier) for an API that has RBAC + “add permissions in the Access Token” enabled then the resulting access token should have a permissions claim with the relevant permissions added:

Access Token:

Roles themselves will need to be added as a custom claim to access tokens - I will note that it is common practice to infer roles from permissions so the extra step to add the actual roles as custom claims by way of a rule/action is not necessarily required.

Are you able to confirm you have RBAC as well as the option to add permissions to access tokens enabled for the API which you are using as your audience?

Keep us posted!

1 Like

Hi @tyf ,

Apologies for the late reply. We have everything sorted out now.
I was expecting permissions to be included in both id token and access token (but I realize they don’t belong in the id token at all). And thank you for pointing out the audience config, that was also an issue with some of the testing.
All is good now.

That’s great to hear! Thanks for following up with the community :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.