Troubleshoot the Auth0 Authorization Extension
Auth0 provides two ways to implement role-based access control (RBAC), which can be used in place of or in combination with an API's own internal access control system:
The Authorization Core feature set matches the functionality of the Authorization Extension, improves performance and scalability, and provides a more flexible RBAC system than the Authorization Extension. Currently, both implement the key features of RBAC and restrict the custom scopes defined for an API to those assigned to the user as permissions.
Auth0 generates errors or returns incomplete token information when configuring the Authorization Extension due to application mismatches, unsupported application types, or rule conflicts. Resolving these issues requires verifying the application configuration, selecting a supported application type, and clearing conflicting rules.
Symptoms include missing roles or permissions in tokens, missing applications in the setup menu, or the following error upon login:
You are not allowed to access this application
- Auth0
- Authorization Extension
- Role-Based Access Control (RBAC)
Authorization Extension issues occur when the configuration assigns roles and permissions to a different application than the one authenticating the user, when the configuration uses an unsupported application type, or when legacy rules conflict after an extension upgrade.
Why is the authentication resulting in a token that contains group information but lacks roles or permissions information?
This typically occurs when roles and permissions are created for one application, but users authenticate using another application. For example, if all roles and permissions are created against Website A, but another website application (Website B) is created in Auth0, and the client_id and client_secret for Website B are used instead of those for Website A in the app.
Alternatively, this may occur when clicking the Try Connection button in the Auth0 Dashboard on a Connection containing users. This executes an authentication flow using the Auth0 global application, which differs from the application configured in the extension.
Why is the application missing from the setup drop-down menu when setting up the extension?
The Authorization Extension only supports specific application types. Auth0 hides applications with no assigned type and Machine-to-Machine (M2M) applications. Configure the application as one of the following supported Authorization Extension application types to ensure it appears in the setup menu.
- Native applications
- Single-page web applications
- Regular web applications
How is the You are not allowed to access this application error resolved after upgrading to version 2?
The error typically indicates a conflict with an old rule. Resolve the conflict by disabling the persistence settings, deleting the legacy rule, and re-enabling the configuration.
- Turn off the persistence settings.
- Delete the existing rule.
- Re-enable the persistence settings.
- Test the login flow again.
