Scopes and permissions with RBAC for Machine-to-machine authentication

tommyr · May 6, 2020, 3:09pm

I have two Applications (an SPA and a Machine to Machine app), and a custom API registered in my Auth0 account. The API has RBAC enabled, and a few permissions configured for it.

When I perform the client_credential OAuth grant using my M2M app, the token that comes back includes two claims (scope and permissions), and both always include all allowed permissions for that application, regardless of what scopes I request. Is this expected?

In contrast, authenticating with the SPA gives me a token with a permissions claim including all allowed permissions, and a scope claim including only requested scopes.

dan.woda · May 27, 2020, 8:42pm

Hi @tommyr,

I apologize for the delay.

Permissions and RBAC are user-centric. This is explained better here:

This would explain the difference in how they are treated in a SPA where a user is requesting an access token and a M2M app where there is no user.

Hope this helps in some way!
Dan

system · June 11, 2020, 8:42pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Difference between scopes and permissions in access token Help scopes , permissions	5	10352	August 31, 2019
Differences between Scopes and Permissions Knowledge Articles token , scopes , permissions , scope , client-credentials	1	9168	October 16, 2019
RBAC permissions for SPA app and API Help rbac	1	5424	September 12, 2019
Scopes vs Permissions confusion Help	10	15846	December 8, 2020
Auth0 Machine to Machine permission in JWT Help jwt , auth0 , api	2	5368	October 26, 2019

Scopes and permissions with RBAC for Machine-to-machine authentication

Related topics