I’m new to Auth0 and getting a bit confused about scopes and permissions and how they relate. A lot of the documentation implies that scopes are permissions, and that you should create scopes such as “read:messages” and “write:messages”. But when you create Permissions in the API, and then request…

:wave: I would like to share some updates for the core authorization . We introduced TOKEN_DIALECT which helps to get the scopes in the Access Token based on the permissions assigned to the user either directly or through roles. When the RBAC feature is enabled along with token dialect for an API, …

Hi @chrisj2 , here are some related threads on this: [image] Difference between scopes and permissions in access token Help Hello, im not sure if i misunderstood something or if i chose the wrong implementation for my use case. I will try to explain my problem. I have c…

Thanks for those links. Reading them has made me even more confused, what is the correct behaviour supposed to be? If I’m writing an API, do I need to check both the Permissions claim and the Scopes claim to determine permissions, because Auth0 might set them in one or the other depending on config…

Gonna +1 this. I am fighting with the same thing in the documentation right now. There is no clear guidance on what you’re supposed to do here. I’m also using the ASP.NET Core API Quickstart, and it simply doesn’t work as written. First, it neglects to mention that you need to turn on RBAC and the …

+1 this as well, i am having exactly the same confusion.

+1 from me too. I am also incredibly confused. That first thread provides a solution for the poster’s specific scenario, but doesn’t make clear the distinction between scopes and permissions. The behaviour seems really inconsistent.

I am back into this today trying to figure it out also. I tried to email support and didn’t ever get a clear answer. Trying to get an API that can validate the permissions of a M2M app and a user seems like such a simple requirement for Auth0 to fulfill, but it doesn’t work without major hoops to ju…

I think the answer is to modify their code to first check for permissions, then move on to checking for the scope like they demonstrate. This seems to be working for me. Whether this is the correct approach, I have no idea since they won’t give a clear answer or update example. I’ll keep messing wit…

Thanks for updating that thread Saltuk!

Scopes vs Permissions confusion

Get Help

mathiasconradt September 16, 2019, 6:52am 2

Hi @chrisj2,

here are some related threads on this:

Topic		Replies	Views
Permissions: claim or scopes Get Help scopes , claims , permissions	11	18616	December 8, 2020
Trouble understanding scopes vs permissions Get Help api , scopes , access-token , api-authorization , scope	7	9449	January 4, 2021
How can I get permissions into my scope in the access token? Get Help auth0	10	10855	April 2, 2020
Why are scopes/permissions are duplicated in JWT tokens issued by Auth0? Get Help	2	846	April 29, 2024
Confused: Permissions are not part of Scopes in JWT token Get Help jwt	3	4246	March 5, 2021

Scopes vs Permissions confusion

Related topics