Auth0 Home Blog Docs

Roles are empty in ID Token when using a Machine to Machine Application

scopes
authorization-extens
machine-to-machine

#1

I use the Authorization Extension to add an ADMIN role to a user. When I login using the client ID of an SPA Application, my rule that adds the namespaced roles claim to the generated ID Token works successfully. However, when I use (for testing purposes) the Management API to call /oauth/token with scope: 'openid email profile roles', I notice that the roles always comes back as an empty array. When I tried debugging the rules I saw that data.roles is empty as well, even though this rule was published by the Extension and was not touched by me. Any idea why?


#2

So I was able to trace it to the auth0-authorization-extension rule indeed. The getPolicy function never returns the user Roles for the Machine to Machine client.