To set your auth0 resources, be sure that the following are set up:
- Permissions and roles are created (see yesterday’s journal) under a custom API
- Custom API identifier should match the
audiencein app config (see below) - These are enabled in your custom API:
Enable RBACandAdd Permissions in the Access Token. The former is for ensuring that thescopeclaim only contains granted permissions for the token, and the latter is for ensuring thatpermissionsclaim is in the token. - Custom API grants the permissions under the
User-delegated Accessof the SPA
export const appConfig: ApplicationConfig = {
providers: [
provideBrowserGlobalErrorListeners(),
provideRouter(routes),
provideAuth0({
domain: "dev-redacted.us.auth0.com",
clientId: "redacted",
authorizationParams: {
redirect_uri: window.location.origin,
audience: "http://localhost:8080",
},
}),
],
};After logging in, check the response of /token in your browser’s network tab. access_token should be readable and show scope and permissions. Here’s a sample decoded payload in jwt.io:
{
"iss": "https://dev-redacted.us.auth0.com/",
"sub": "auth0|redacted",
"aud": ["http://localhost:8080", "https://dev-redacted.us.auth0.com/userinfo"],
"iat": 1780923232,
"exp": 1781009632,
"scope": "openid read:messages",
"azp": "redacted",
"permissions": ["read:messages"]
}