symfony icon indicating copy to clipboard operation
symfony copied to clipboard
verified publisher icon auth0

Permissions not resolved into Symfony user roles

Open Crease29 opened this issue 7 months ago • 3 comments

Checklist

  • [x] I have looked into the Readme and have not found a suitable solution or answer.
  • [x] I have searched the issues and have not found a suitable solution or answer.
  • [x] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • [x] I agree to the terms within the Auth0 Code of Conduct.

Description

I'm having an issue with the automatic conversion of permissions to roles, which is supposed to happen in \Auth0\Symfony\Models\User::getRoles.

From what I understand I have to assign a role with permissions to my user, and enable RBAC in the API: Image

In the access token which I'm getting back after authenticating, I can see that the permissions of the role are taken over:

Image

But when I inspect the $permissions variable in \Auth0\Symfony\Models\User::getRoles, then it's always an empty array. https://github.com/auth0/symfony/blob/f873d320e565992a9cc9384b5a7c57fe84f77950/src/Models/User.php#L253

These are the roles of the logged in user in Symfony: Image

I'm not sure if it's a bug or not, but at least I can not get more out of the documentation and source code. Any help or clarification would be appreciated 😊

Reproduction

  1. Create new application & API
  2. Enable RBAC and adding permissions to the access token in the API's options
  3. Create a new role and add any permission
  4. Assign the role to your user
  5. Log in and check if the assigned roles in $user->getRoles() contain ROLE_<YOUR_PERMISSION>

Additional context

No response

jwt-auth-bundle version

Symfony version

7.2.3

PHP version

8.4

Crease29 avatar May 23 '25 15:05 Crease29

@Crease29 Considering the value in the roleAuthenticatedUsing (and the namespace of the User class) it seems that you are on a stateful (session-based) authentication, which is different from the stateless (JWT token based).

See https://github.com/search?q=repo%3Aauth0/symfony%20%24roleAuthenticatedUsing&type=code

If you wish to use JWT/stateless auth, you probably need to set

# config/packages/auth0.yaml
auth0:
    sdk:
        strategy: 'api'
        ...

mkilmanas avatar May 23 '25 18:05 mkilmanas

@mkilmanas thank you very much for such a swift reply! I wasn't aware of the strategy config, because it wasn't mentioned in the readme. Thank you, I will look into this!

Crease29 avatar May 23 '25 19:05 Crease29

There might be other ways to achieve the same result (e.g. this security.yaml example suggests that you can have both working in parallel). It's just that when we use it primarily for api-platform based microservice auth, 'api' strategy works best in our case.

Also, this is one of the settings that are passed directly deeper into the SDK level, so technically not much part of this bundle. Although mentioning in the example auth0.yaml might be usefull nevertheless.

mkilmanas avatar May 23 '25 19:05 mkilmanas