Stuck implementing on authorization (react web app / node.js api server)

I have an existing React application powered by a Node.js API server. I want to migrate to use Auth0 for authentication and authorization (access control) but I’m running into issue getting both authentication and authorization working.

I’ve created an Auth0 API in the console and set up the proper middleware in my api server. I followed the directions in the Test tab in the application to generate the Machine to Machine token and authentication is working fine. I also downloaded the Auth0 React sample application and created an Auth0 Application and I am able to authenticate in the sample React application and make the API calls to the authenticated endpoints on the server without issue.

Where I’m struggling is with the authorization. The whole point of integrating Auth0 is for me to be able to implement access control across every endpoint. I want to define read and write permissions to apply to every endpoint that requires authentication. So I’ve created a couple initial permissions under the Auth0 API and set up endpoints to require these permissions. But I can’t figure out how to log in as a user that has those permissions. The token created from the API -> Test tab is based on the Machine to Machine application so there are no permissions associated with that token and therefore can’t access the scoped APIs. I created an Auth0 role and assigned the permissions from the API and then I created an Auth0 user and made sure that user was assigned the new role. When I log into that user in the React sample application and make the API call it fails because the JWT token doesn’t include the permissions for the API.

It seems like I don’t completely understand how roles and permissions are applied to a token but these are the two questions that stand out:

  1. Why doesn’t the user have the proper permissions when I log into the React app even though I’ve added those permissions to the role that the user is assigned to?

  2. How can I generate a token for an existing user to be able to make API calls as that user to test access control (via Postman)? A machine to machine token is pointless because it has no permissions.

Hi @ambrose,

Welcome to the Community!

First of all, you are on the right track. You should be able to assign permissions directly to a user, or implicitly with a role and have them show up in the access token. A few basic things to check before we explore any one-offs:

  • Have you toggled on Add Permissions in the Access Token and Enable RBAC in the API settings?
  • Are you requesting a token for your custom API? You do this with the audience param in the auth request in your react app. (if you are following the quickstart you should have done this).
  • A M2M token will not have the user permissions. It will be the permissions of whatever app you selected at the test application. It doesn’t sound like you want M2M tokens anyways.
  • Have you inspected the tokens in your react app to see what is going on? You can find them in the network tab of dev tools in chrome, usually as a response from the /token endpoint. Use jwt.io to decode them easily. (if this isn’t a jwt, if it looks like a random string you cannot decode, then you have not added your custom API as the audience.

Also, a great debugging tool, if you simply want to request tokens for a user and isolate the issue a bit, you can use the authentication API debugger.
Go to the OAuth2 / OIDC tab and click the Oauth2/OIDC Login button

Here is an example of an access token for a user that has do:something permissions for my test-api directly assigned, and implicitly has read:test permissions from a role I assigned to the user. The access token payload should look something like this:

"payload": {
    "iss": "https://TENANTNAME.auth0.com/",
    "sub": "auth0|123456789123456789",
    "aud": [
      "https://test-api",
      "https://TENANTNAME.auth0.com/userinfo"
    ],
    "iat": 1605897254,
    "exp": 1605897314,
    "azp": "s5df46as8dfa13s5d1f6as4d98af4sd6",
    "scope": "openid email",
    "permissions": [
      "do:something"
      "read:test"
    ]
  },