Auth0 provides two ways to implement role-based access control (RBAC), which you can use in place of or in combination with your API’s own internal access control system:The Authorization Core feature set matches the functionality of the Authorization Extension, improves performance and scalability, and provides a more flexible RBAC system than the Authorization Extension.Currently, both implement the key features of RBAC and allow you to restrict the custom scopes defined for an API to those that have been assigned to the user as permissions.
The authentication results in a token contain group information but not roles or permissions information
If this happens, chances are that you created roles and permissions for one application, but your users are authenticating using another application. For example, let’s say that you created all your roles/permissions against Website A. However, you also create another website application in Auth0 for Website B. Then, you use theclient_id and client_secret for Website B, instead of those for Website A, in your app.
Alternatively, you might see this if you click the Try Connection button in the on a Connection that contains one of your users. This will execute an authentication flow using the Auth0 global application, but this is not the same as the application you configured in the extension.
Application is not shown in the drop-down menu when setting up the extension
The supported application types for the Authorization extension are:- Native apps
- Single-page web apps
- Regular web apps
After upgrading to v2, users get an error upon login
If you see the errorYou are not allowed to access this application, most probably there is some conflict with the old rule. Turn off the persistence settings, delete the existing rule, re-enable the settings, and test again.