Auth0 Authentication Extension

[snake575]

I was testing the extension and found that roles, groups and permissions are not necessarily included on app_metadata.

If one selects the fields on the Token Contents section, then they are included like this:

{ sub: '', iss: '', ... , roles: [], groups: [], permissions: [], }

if one selects the fields on the Persistence section, then they are included like this:

{ sub: '', iss: '', ... , app_metadata: { authorization: { roles: [], groups: [], permissions: [], }, } }

On both cases, it's important to note the one must include roles, groups, permissions or app_metadata on the token's scope on the client app, otherwise none of them are included on the token.

[mcueto]

this is why i "standarized" it with the AUTHORIZATION_EXTENSION setting.

the recommended(and mostly easy to use IMHO) way is to simply enable the authorization extension in auth0 and use it in our apps.

HOWEVER: i will add a disclaimer to notice what scopes are needed in order to use this app.

If this answer is enough to you, please let me know to close this issue

[snake575]

Which one is the default one? Token Contents is the first one on the screen, but I think both are disabled in the beginning. We could add another setting to specify if Token Contents or Persistence is in use on the extension.

[mcueto]

hi @snake575, it seems to be that the extension has changed a little bit/a lot since version 1(i'm assuming that you're using version 2), so i believe that we must support both version 1 and 2 of the extension(i promise work on it in the following weeks)

¿what version of the extension are you using?

[snake575]

I didn't notice there are 2 versions... I'm on 2.1!

[mcueto]

Can you post screenshots of the configs used in your version please!

[snake575]

I did some extra testing... turns out that enabling Token Contents allows the following:

With Auth0-Lock options config:

{
  auth: {
    params: { scope: 'openid roles groups permissions' }
  }
}

Extension config:

Token payload:

{
  "groups": [],
  "permissions": [],
  "roles": [],
  "iss": "...",
  "sub": "...",
  "aud": "...",
  "exp": ...,
  "iat": ...
}

On the other hand, Persistence says it persist the extension data on user profile's app_metadata. However in my test the extension auth data is always present on the profile, regardless if the persistence fields are activated or not.

User's profile:

{
  ...
  "app_metadata": {
    "authorization": {
      "groups": [],
      "roles": [],
      "permissions": []
    }
  },
  "authorization": {
    "groups": [],
    "roles": [],
    "permissions": []
  },
  ...
}

[mcueto]

I'll create another app with authorization 2.x to think how to manage this problem and have an update this week!!!!

[mcueto]

I bet you noticed that i didn't solve this, in the following 2 weeks i will solve this issue

Stay tuned