CODEWITHSUNDEEP
reactjsauthenticationauth0
John Smith
John Smith

Reputation: 1280

Auth0. How to get user's permissions in access token?

How to get user's permissions in access token using Auth0's Core Authorization Feature (in very first authorize request)? I need array of all permissions along with another information about user.

P.S. I've created role, permissions, assigned role to user. Enabled Add Permissions in the Access Token toggle and RBAC in API settings.

Upvotes: 3

Views: 2312

Answers (2)

Kavindu Nilshan
Kavindu Nilshan

Reputation: 811

I had the same question and resolved it as follows:

You need to add the audience to the authorizationParams on the Auth0Provider tag in your React application:

<Auth0Provider
    domain={auth0Domain}
    clientId={clientId}
    authorizationParams={{
        redirect_uri: window.location.origin,
        ...(audience ? { audience: audience } : null),
    }}
>
    <App />
</Auth0Provider>

Once configured, you can access the permissions by calling getAccessTokenSilently (ensure the Add Permissions in the Access Token toggle is enabled under the API settings in the Auth0 dashboard).

For further reference, check Auth0's official React sample: https://github.com/auth0-samples/auth0-react-samples/tree/master

Additionally, this Medium article explains the steps in detail and can help if you encounter further issues: https://medium.hexadefence.com/securing-a-react-app-with-auth0-9140e0149e55

Upvotes: 2

Ryan Tomaselli
Ryan Tomaselli

Reputation: 63

It was not obvious in any of the documentation but adding the "audience" parameter like so made it so a permissions array for the API (in my case "settings") is returned.

      <Auth0Provider
        domain={process.env.REACT_APP_AUTH0_DOMAIN}
        client_id={process.env.REACT_APP_AUTH0_CLIENT_ID}
        redirect_uri={window.location.origin}
        audience={'settings'}
        onRedirectCallback={appState => {
          window.history.replaceState(
            {},
            document.title,
            appState && appState.targetUrl
              ? appState.targetUrl
              : window.location.pathname
          )
        }}
      >
        {app}
      </Auth0Provider>

  "permissions": [
    "create:settings",
    "read:settings",
    "update:settings"
  ]

I then wanted to request permissions for multiple audiences (logical APIs in my case) but currently you can only pass a single audience.

The recommendation is to create a single logical API and put all the permissions under that API and then use that as the "audience" to pull back all the permissions.

Reference: https://auth0.com/docs/api-auth/tutorials/represent-multiple-apis

Upvotes: 4

Related Questions