Empty permissions and no roles in jwt tokens.
i am using Kinde for login in react/vite ( that works) and want to us eit for authorization in my flask / pyhton back-end. I get the token, sub and organization are in the Bearer, but Permissions is Empty en there is no role. i want to use them to authorize my flask routes ( and also the front-end but thats the next step. does somenone kknows what iam doing wrong?
10 Replies
Hey @Jos,
By default, permissions are in the bearer token, but not roles. You can add additional roles as a claim in the bearer token by following this guide.
To address the issue you're facing with permissions not appearing in the Bearer token when using Kinde for authorization in your Flask/Python backend, let's go through a checklist to ensure everything is set up correctly:
1. Ensure Permissions and Roles are Configured in Kinde: First, make sure that you have configured permissions and roles for your users in the Kinde admin area. Permissions need to be explicitly set for them to appear in the token. You can manage these in the Kinde admin area or via the Kinde Management API. For more details on setting up permissions, refer to the Kinde documentation on user permissions.
2. Check Token Parsing in Flask: Ensure that your Flask backend is correctly parsing the JWT token. You might need to use a library like PyJWT to decode the JWT and extract the permissions and roles. The permissions should be in the
permissions
claim of the access_token
.
3. Use the Correct Token: Make sure you are using the access_token
and not the id_token
for authorization. The access_token
contains the permissions and roles necessary for authorization decisions.
4. Verify Token Configuration: In your React/Vite frontend, ensure that you are requesting the correct scopes and audience when obtaining the token from Kinde. This might affect which claims are included in the token.
5. Inspect the Token: Use a tool like Kinde's Online JWT decoder
to inspect the contents of your JWT token. This can help you verify that the permissions and roles are indeed included in the token you're sending to your Flask backend.Kinde
Online JWT decoder
Leverage this tool to ensure that your JWT has the specific metadata and claims you anticipate or to analyze JWTs generated by a 3rd party.
Kinde Docs
Token customization - Build on Kinde - Help center
Our developer tools provide everything you need to get started with Kinde.
If after these steps you still find that the permissions and roles are not included in your token, it might be helpful to reach out to Kinde support directly for further assistance, as there could be a configuration issue specific to your Kinde setup.
Remember, for authorization in your Flask routes, you'll need to decode the JWT token, extract the permissions and roles, and then implement logic to determine if a user is authorized based on those permissions and roles.
For decoding and verifying JWT tokens in Python, you might find libraries like PyJWT useful. Here's a simple example of how you might decode a token:
Note: In a production environment, you should verify the token's signature to ensure its integrity and authenticity. The example above skips signature verification for simplicity.
For more detailed guidance on implementing authorization logic in Flask, you might find Flask's documentation and extensions like Flask-Principal or Flask-Security-Too helpful.
Let me know if you have any other questions.
Thanks for the respond, will dive into it today.
Hi Oli, iam struggeling wwith this one i think: Verify Token Configuration: In your React/Vite frontend, ensure that you are requesting the correct scopes and audience when obtaining the token from Kinde. This might affect which claims are included in the token.\
especially the scopes
Hey @Jos,
Hi! It sounds like you're having trouble with ensuring that your React/Vite frontend is requesting the correct scopes and audience when obtaining the token from Kinde, which is crucial for including the necessary claims in the token for authorization purposes.
To address this, you'll want to make sure that when you're setting up the Kinde SDK in your React/Vite application, you're specifying the correct scopes and audience. This configuration determines what information and permissions are included in the token that Kinde issues.
Scopes
By default, the Kinde SDK requests the following scopes:
profile
, email
, offline
, and openid
. If you need additional information or permissions beyond these defaults, you can override the scopes by specifying them when initializing the Kinde SDK.
For example, if you're using the React SDK, you can override the scopes like this:
Audience
The audience of a token is the intended recipient of the token, typically your API. You need to specify the audience to ensure that the token is valid for accessing your backend services.
When initializing the Kinde SDK, you can specify the audience like this:
Make sure to replace "api.yourapp.com"
with the actual identifier for your API or backend service. This ensures that the token issued by Kinde is intended for your backend, allowing it to be used for authorization.
If you are still experiencing issues, please let me know.Hi Oli, thank you, i had a backslash problem in my audience. the next step is i want to in vite users from react to signup on a organization. if i walk into issues i will ask you 😉
hi Oli, I have another question there are claims in the ID token that you can use with the sdk, if you decide to add addiotional claims like kp_usr_job_title. Du i have to use the api instead and get them with the JWT files, or is there an easier way?
Hi @Jos,
Du i have to use the api instead and get them with the JWT files, or is there an easier way?I am not too sure what you are exactly saying here, but I think you are after our Properties. You can create user and organization properties and add values against the properties. Then you can optionally choose to pass those values in the ID and access token. Does this solve your use-case?
Hi Oli, i will check that. i have another question, is it possible to have more roles added for development, because i find it difficult to test only with 2 roles. . And i thought you could invite a user to signup on an organization in a certain role. but i can't find it.
Hey @Jos,
Hi Oli, i will check that. i have another question, is it possible to have more roles added for development, because i find it difficult to test only with 2 roles.How many roles would be ideal for you to test?
And i thought you could invite a user to signup on an organization in a certain role. but i can't find it.You can do this via the Kinde Management API, the following API calls will help you achieve this: - https://kinde.com/api/docs/#add-organization-users - https://kinde.com/api/docs/#add-organization-user-role Let me know if you have any further questions.
And i thought you could invite a user to signup on an organization in a certain role. but i can't find it.Do you want an existing user to invite another user to an organization (with a certain role), or will you (not a user) invite a user to an organization (with a certain role)?
Hi Oli, for now i think 5 roles will do. I want an employee to invite members (candidates in our case). So the only have to go to the login en put in their email.
Hi Oli,
Can youn please tell me how to set the role of a user when creat a user through the api. because i can creat the user, but then no role is activated.
Hi @Jos,
Let me speak to my team on this and get back to you.
To add a role to a user via API, you can use the following API call: https://kinde.com/api/docs/#add-organization-user-role
Hey @Jos,
To consider adding more roles onto your business on the Free plan, are you able to explain more about your business:
1. What are you building?
2. How many MAU (monthly active users) and MAO (monthly active organisations) do you expect to have on your application?
3. Are you going to use any enterprise connections?
You are welcome to DM me the answers to these questions if you prefer.