“Auth0用户权限未在令牌中传递”

huangapple go评论77阅读模式
英文:

Auth0 user permissions not being passed in token

问题

我创建了一个Auth0后端API和一个React客户端。这两个应用程序都能正确地与Auth0进行通信进行身份验证。我可以在React客户端上以用户身份登录,然后使用持有者令牌进行GET请求以访问受保护的端点。这遵循https://auth0.com/docs/quickstart/backend/rails/01-authorization,然而,当涉及到使用特定范围/权限进一步保护端点时,我陷入了困境。

我理解的是,在Auth0设置中创建一个角色,将特定的范围/权限Y添加到该角色,并将用户X分配给该角色,当用户X在React应用程序中正确登录时,持有者令牌将自动包含该权限Y。但当我访问受该权限Y保护的后端端点时,它不会授权我,因此似乎缺少范围。API中启用了'启用RBAC'和'在访问令牌中添加权限'两个选项。

如果有人有相关经验,我将非常感谢任何帮助!

英文:

I created an auth0 backend api and a react client. Both applications correctly communicate to auth0 for authentication. I can log in as a user on the react client, and then make a get request to the backend api using a bearer token to get access to a protected endpoint. This follows https://auth0.com/docs/quickstart/backend/rails/01-authorization, however, I'm stuck when it comes to protecting endpoints additionally with specific scopes/permissions.

My understanding was that by creating a role in the auth0 settings, adding a specific scope/permission Y to that role, and by assigning user X to that role, the bearer token would automatically include that permission Y when user X correctly signs in in the react app. But when I hit the backend endpoints that's protected around that permission Y, it doesn't authorize me, so the scope seems to be missing. 'Enable RBAC' and 'Add Permissions in the Access Token' are both enabled for the api.

If anybody has experience with this, I'd greatly appreciate any help!

答案1

得分: 2

以下是已翻译的内容:

一些问题可能是您的问题所在。一旦您选择了“启用RBAC”和“在访问令牌中添加权限”,请确保您已将权限添加到API中。接下来,您将希望确保所选的用户在用户选项卡下与该权限相关联。

一旦您配置了这些内容,您的访问令牌应该具有您的权限。您可以通过查看在 https://jwt.io/ 等网站上登录时生成的令牌来验证这一点。

英文:

A few things can be your issue here. Once you have selected enable RBAC and Add Permissions in the Access Token, make sure you have added your permissions to the api. Next you will want to make sure your selected user has that permission associated with it under the users tab.

Once you have this configured, your access token should have your permissions. You can verify this by looking at the token generated on login on a site like https://jwt.io/.

huangapple
  • 本文由 发表于 2020年1月6日 16:32:31
  • 转载请务必保留本文链接:https://go.coder-hub.com/59608890.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定