Authorization Extension

The Authorization Extension provides support for user authorization via Groups, Roles, and Permissions. You can define the expected behavior during the login process, and your configuration settings will be captured in a rule that's executed during runtime. To learn more, read Auth0 Rules.

With the Authorization Extension, you can store authorization data like groups, roles, or permissions in the outgoing token issued by Auth0. Your application can then consume this information by inspecting the token and take appropriate actions based on the user's current authorization context.

With the Authorization Extension, roles and permissions are set on a per-application basis. If you need the same roles or permissions on another application, you'll have to create them separately. Conversely, the Authorization Core feature set provides much more flexibility with roles and permissions.

Before you can use the extension, you'll need to:

1. Install the extension.

2. Configure how the extension will behave during the login transaction.

3. Set up users, groups, roles, and permissions.

You can easily move data into or out of the extension using a JSON file. To learn more, read Import and Export Authorization Extension Data.

Once the extension is up and running, you can add additional functionality to it.

• Enable API access to the extension: Learn how you can automate provisioning and query the authorization context of your users in real-time, using the extension's API.

• Explore Authorization Extension API endpoints: Learn about the Authorization Extension's API endpoints and how you can use them.

• Use Authorization Extension data in rules: Learn how you can use rules to configure extra logic for your logins.

Review our tips for troubleshooting page for commonly-encountered issues.

Upgrades from version 2.6 or later do not have breaking changes and require no special action.

Authorization Extension 2.6 contains breaking changes that result from changed logic for storing and handling the API Key; these require you to perform additional steps upon upgrade, as detailed below. Failing to complete these steps will result in either an InvalidApiKey or You are not allowed to access this application error on rule execution. For more information, see the GitHub changelog.

1. Go to Auth0 Dashboard > Extensions, and select the Installed Extensions view.

2. Locate Auth0 Authorization, select Upgrade, and confirm. Wait for the upgrade to complete.

1. Select Auth0 Authorization to open the extension.

2. From the dropdown menu in the top-right of the extension dashboard, select Configuration.

3. Locate the API Key section, and select Rotate.

Select Publish Rule.

1. Go to Auth0 Dashboard > Auth Pipeline > Rules.

2. Locate the auth0-authz rule. If it does not exist, you are done; otherwise, continue with the following steps.

3. Locate the auth0-authorization-extension rule and drag it into the position below the auth0-authz rule.

4. Check that the auth0-authz rule:

   • Was authored by the Authorization Extension and has not been modified manually

   • Will not change the authorization flow in a way that will grant access or privileges to undesired users if it is removed

5. If the above conditions are true, use the toggle to disable the auth0-authz rule. After verifying that everything works appropriately, you can decide whether to leave the rule disabled or remove it entirely.

• Install Authorization Extension
• Configure Authorization Extension
• Enable API Access to Authorization Extension
• Import and Export Authorization Extension Data
• Use Rules with the Authorization Extension
• Troubleshoot Authorization Extension