Authorization Extension 2.6 contains breaking changes that result from changed logic for storing and handling the API Key; these require you to perform additional steps upon upgrade, as detailed below. Failing to complete these steps will result in either an
You are not allowed to access this application error on rule execution. For more info, see the changelog.
Upgrades from version 2.6 or later do not have breaking changes and require no further action.
If you are upgrading from a version before 2.6, you must:
Upgrade the Authorization Extension
- Navigate to the Extensions page in the Auth0 Dashboard, and click the Installed Extensions tab.
- Locate Auth0 Authorization, click Upgrade, and confirm. Wait for the upgrade to complete.
Rotate the extension's API Key
- Click on Auth0 Authorization to open the extension.
- From the dropdown menu in the top-right of the extension dashboard, select Configuration.
- Locate the API Key section, and click Rotate.
Republish the extension's Rule
- Click Publish Rule.
Delete the old extension Rule, if it exists
- Navigate to the Rules page in the Auth0 Dashboard
- Locate the
auth0-authzrule. If it does not exist, you are done.; otherwise, continue with these steps:
- Locate the
auth0-authorization-extensionrule and drag it into the position below the
- Check that the
- was authored by the Authorization Extension and has not been modified manually
- will not change the authorization flow in a way that will grant access or privileges to undesired users if it is removed
- If the above conditions are true, use the toggle to disable the
auth0-authzrule. After verifying that everything works appropriately, you can decide whether to leave the rule disabled or remove it entirely.
The Authorization Extension provides support for user authorization via Groups, Roles, and Permissions. You can define the expected behavior during the login process, and your configuration settings will be captured in a rule that's executed during runtime.
With the Authorization Extension, you can store authorization data like groups, roles, or permissions in the outgoing token issued by Auth0. Your application can then consume this information by inspecting the token and take appropriate actions based on the user's current authorization context.
With the Authorization Extension, roles and permissions are set on a per-application basis. If you need the same roles or permissions on another application, you'll have to create them separately. Conversely, the Authorization Core feature set provides much more flexibility with roles and permissions.
Before you can use the extension, you'll need to install it, configure the rule controlling its behavior during login, and set up your user management.
You can easily move data into or out of the Extension.
Once your extension is up and running, you can add additional functionality to it. You can also import/export user-related data.
Review our tips for troubleshooting commonly-seen issues.