Scopes and permissions with RBAC for Machine-to-machine authentication

I have two Applications (an SPA and a Machine to Machine app), and a custom API registered in my Auth0 account. The API has RBAC enabled, and a few permissions configured for it.

When I perform the client_credential OAuth grant using my M2M app, the token that comes back includes two claims (scope and permissions), and both always include all allowed permissions for that application, regardless of what scopes I request. Is this expected?

In contrast, authenticating with the SPA gives me a token with a permissions claim including all allowed permissions, and a scope claim including only requested scopes.

Hi @tommyr,

I apologize for the delay.

Permissions and RBAC are user-centric. This is explained better here:

This would explain the difference in how they are treated in a SPA where a user is requesting an access token and a M2M app where there is no user.

Hope this helps in some way!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.