Roles are empty in ID Token when using a Machine to Machine Application

I use the Authorization Extension to add an ADMIN role to a user. When I login using the client ID of an SPA Application, my rule that adds the namespaced roles claim to the generated ID Token works successfully. However, when I use (for testing purposes) the Management API to call /oauth/token with scope: 'openid email profile roles', I notice that the roles always comes back as an empty array. When I tried debugging the rules I saw that data.roles is empty as well, even though this rule was published by the Extension and was not touched by me. Any idea why?

So I was able to trace it to the auth0-authorization-extension rule indeed. The getPolicy function never returns the user Roles for the Machine to Machine client.

Thank you a lot for sharing it with everyone in the community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.