The Authorization Extension provides support for user authorization via Groups, Roles, and Permissions. You can define the expected behavior during the login process, and your configuration settings will be captured in a rule that's executed during runtime. To learn more, read Auth0 Rules.
With the Authorization Extension, you can store authorization data like groups, roles, or permissions in the outgoing token issued by Auth0. Your application can then consume this information by inspecting the token and take appropriate actions based on the user's current authorization context.
With the Authorization Extension, roles and permissions are set on a per-application basis. If you need the same roles or permissions on another application, you'll have to create them separately. Conversely, the Authorization Core feature set provides much more flexibility with roles and permissions.
Before you can use the extension, you'll need to:
Install the extension.
Configure how the extension will behave during the login transaction.
Set up users, groups, roles, and permissions.
You can easily move data into or out of the extension using a JSON file. To learn more, read Import and Export Authorization Extension Data.
Once the extension is up and running, you can add additional functionality to it.
Enable API access to the extension: Learn how you can automate provisioning and query the authorization context of your users in real-time, using the extension's API.
Explore Authorization Extension API endpoints: Learn about the Authorization Extension's API endpoints and how you can use them.
Use Authorization Extension data in rules: Learn how you can use rules to configure extra logic for your logins.
Review our tips for troubleshooting page for commonly-encountered issues.
Upgrade from previous versions
Upgrade from version 2.6 or later
Upgrades from version 2.6 or later do not have breaking changes and require no special action.
Upgrade from versions before 2.6
Authorization Extension 2.6 contains breaking changes that result from changed logic for storing and handling the API Key; these require you to perform additional steps upon upgrade, as detailed below. Failing to complete these steps will result in either an
You are not allowed to access this application error on rule execution. For more information, see the GitHub changelog.
Go to Auth0 Dashboard > Extensions, and select the Installed Extensions view.
Locate Auth0 Authorization, select Upgrade, and confirm. Wait for the upgrade to complete.
Rotate the extension's API key
Select Auth0 Authorization to open the extension.
From the dropdown menu in the top-right of the extension dashboard, select Configuration.
Locate the API Key section, and select Rotate.
Republish the extension's rule
Select Publish Rule.
Delete the old extension rule, if it exists
Navigate to Auth0 Dashboard > Auth Pipeline > Rules.
auth0-authzrule. If it does not exist, you are done; otherwise, continue with the following steps.
auth0-authorization-extensionrule and drag it into the position below the
Check that the
was authored by the Authorization Extension and has not been modified manually
will not change the authorization flow in a way that will grant access or privileges to undesired users if it is removed
If the above conditions are true, use the toggle to disable the
auth0-authzrule. After verifying that everything works appropriately, you can decide whether to leave the rule disabled or remove it entirely.