Empty permissions and no roles in jwt tokens.

i am using Kinde for login in react/vite ( that works) and want to us eit for authorization in my flask / pyhton back-end. I get the token, sub and organization are in the Bearer, but Permissions is Empty en there is no role. i want to use them to authorize my flask routes ( and also the front-end but thats the next step. does somenone kknows what iam doing wrong?
OK
Oli - Kinde40d ago
Hey @Jos, By default, permissions are in the bearer token, but not roles. You can add additional roles as a claim in the bearer token by following this guide. To address the issue you're facing with permissions not appearing in the Bearer token when using Kinde for authorization in your Flask/Python backend, let's go through a checklist to ensure everything is set up correctly: 1. Ensure Permissions and Roles are Configured in Kinde: First, make sure that you have configured permissions and roles for your users in the Kinde admin area. Permissions need to be explicitly set for them to appear in the token. You can manage these in the Kinde admin area or via the Kinde Management API. For more details on setting up permissions, refer to the Kinde documentation on user permissions. 2. Check Token Parsing in Flask: Ensure that your Flask backend is correctly parsing the JWT token. You might need to use a library like PyJWT to decode the JWT and extract the permissions and roles. The permissions should be in the permissions claim of the access_token. 3. Use the Correct Token: Make sure you are using the access_token and not the id_token for authorization. The access_token contains the permissions and roles necessary for authorization decisions. 4. Verify Token Configuration: In your React/Vite frontend, ensure that you are requesting the correct scopes and audience when obtaining the token from Kinde. This might affect which claims are included in the token. 5. Inspect the Token: Use a tool like Kinde's Online JWT decoder to inspect the contents of your JWT token. This can help you verify that the permissions and roles are indeed included in the token you're sending to your Flask backend.
Kinde
Online JWT decoder
Leverage this tool to ensure that your JWT has the specific metadata and claims you anticipate or to analyze JWTs generated by a 3rd party.
Kinde Docs
Token customization - Build on Kinde - Help center
Our developer tools provide everything you need to get started with Kinde.
OK
Oli - Kinde40d ago
If after these steps you still find that the permissions and roles are not included in your token, it might be helpful to reach out to Kinde support directly for further assistance, as there could be a configuration issue specific to your Kinde setup. Remember, for authorization in your Flask routes, you'll need to decode the JWT token, extract the permissions and roles, and then implement logic to determine if a user is authorized based on those permissions and roles. For decoding and verifying JWT tokens in Python, you might find libraries like PyJWT useful. Here's a simple example of how you might decode a token:
import jwt

decoded_token = jwt.decode(token, options={"verify_signature": False})
permissions = decoded_token.get("permissions", [])
import jwt

decoded_token = jwt.decode(token, options={"verify_signature": False})
permissions = decoded_token.get("permissions", [])
Note: In a production environment, you should verify the token's signature to ensure its integrity and authenticity. The example above skips signature verification for simplicity. For more detailed guidance on implementing authorization logic in Flask, you might find Flask's documentation and extensions like Flask-Principal or Flask-Security-Too helpful. Let me know if you have any other questions.
J
Jos39d ago
Thanks for the respond, will dive into it today. Hi Oli, iam struggeling wwith this one i think: Verify Token Configuration: In your React/Vite frontend, ensure that you are requesting the correct scopes and audience when obtaining the token from Kinde. This might affect which claims are included in the token.\ especially the scopes
OK
Oli - Kinde38d ago
Hey @Jos, Hi! It sounds like you're having trouble with ensuring that your React/Vite frontend is requesting the correct scopes and audience when obtaining the token from Kinde, which is crucial for including the necessary claims in the token for authorization purposes. To address this, you'll want to make sure that when you're setting up the Kinde SDK in your React/Vite application, you're specifying the correct scopes and audience. This configuration determines what information and permissions are included in the token that Kinde issues. Scopes By default, the Kinde SDK requests the following scopes: profile, email, offline, and openid. If you need additional information or permissions beyond these defaults, you can override the scopes by specifying them when initializing the Kinde SDK. For example, if you're using the React SDK, you can override the scopes like this:
<KindeProvider
...
scope="openid profile email offline"
...
>
<KindeProvider
...
scope="openid profile email offline"
...
>
Audience The audience of a token is the intended recipient of the token, typically your API. You need to specify the audience to ensure that the token is valid for accessing your backend services. When initializing the Kinde SDK, you can specify the audience like this:
const client = new KindeSDK(
YOUR_KINDE_ISSUER,
YOUR_KINDE_REDIRECT_URI,
YOUR_KINDE_CLIENT_ID,
YOUR_KINDE_LOGOUT_REDIRECT_URI,
YOUR_SCOPES,
{
audience: "api.yourapp.com"
}
);
const client = new KindeSDK(
YOUR_KINDE_ISSUER,
YOUR_KINDE_REDIRECT_URI,
YOUR_KINDE_CLIENT_ID,
YOUR_KINDE_LOGOUT_REDIRECT_URI,
YOUR_SCOPES,
{
audience: "api.yourapp.com"
}
);
Make sure to replace "api.yourapp.com" with the actual identifier for your API or backend service. This ensures that the token issued by Kinde is intended for your backend, allowing it to be used for authorization. If you are still experiencing issues, please let me know.
J
Jos38d ago
Hi Oli, thank you, i had a backslash problem in my audience. the next step is i want to in vite users from react to signup on a organization. if i walk into issues i will ask you 😉 hi Oli, I have another question there are claims in the ID token that you can use with the sdk, if you decide to add addiotional claims like kp_usr_job_title. Du i have to use the api instead and get them with the JWT files, or is there an easier way?
OK
Oli - Kinde36d ago
Hi @Jos,
Du i have to use the api instead and get them with the JWT files, or is there an easier way?
I am not too sure what you are exactly saying here, but I think you are after our Properties. You can create user and organization properties and add values against the properties. Then you can optionally choose to pass those values in the ID and access token. Does this solve your use-case?
J
Jos36d ago
Hi Oli, i will check that. i have another question, is it possible to have more roles added for development, because i find it difficult to test only with 2 roles. . And i thought you could invite a user to signup on an organization in a certain role. but i can't find it.
OK
Oli - Kinde36d ago
Hey @Jos,
Hi Oli, i will check that. i have another question, is it possible to have more roles added for development, because i find it difficult to test only with 2 roles.
How many roles would be ideal for you to test?
And i thought you could invite a user to signup on an organization in a certain role. but i can't find it.
You can do this via the Kinde Management API, the following API calls will help you achieve this: - https://kinde.com/api/docs/#add-organization-users - https://kinde.com/api/docs/#add-organization-user-role Let me know if you have any further questions.
And i thought you could invite a user to signup on an organization in a certain role. but i can't find it.
Do you want an existing user to invite another user to an organization (with a certain role), or will you (not a user) invite a user to an organization (with a certain role)?
J
Jos35d ago
Hi Oli, for now i think 5 roles will do. I want an employee to invite members (candidates in our case). So the only have to go to the login en put in their email. Hi Oli, Can youn please tell me how to set the role of a user when creat a user through the api. because i can creat the user, but then no role is activated.
OK
Oli - Kinde33d ago
Hi @Jos, Let me speak to my team on this and get back to you. To add a role to a user via API, you can use the following API call: https://kinde.com/api/docs/#add-organization-user-role Hey @Jos, To consider adding more roles onto your business on the Free plan, are you able to explain more about your business: 1. What are you building? 2. How many MAU (monthly active users) and MAO (monthly active organisations) do you expect to have on your application? 3. Are you going to use any enterprise connections? You are welcome to DM me the answers to these questions if you prefer.
Want results from more Discord servers?
Add your server
More Posts
Creating users via Kinde APIHi there! Super new to Kinde and web development in general so apologies for my lack of knowledge inlogin front and backend with same tokenHi, I'm new using kinde and I'm surprised, it's great. My architecture is nuxt3 front and feathers Machine to Machine Account & Custom DomainWhen making an api call with a machine to machine account, it's working with our {businesname}.kindeerror: getuser is not a functionI get the error: ```tsx Header.tsx:18 Uncaught (in promise) TypeError: getUser is not a function More frequent 504 errorsHi. I have heard a more frequent complaint of "504 Gateway Timeout" errors (last one was ~9 hours Next.js - Middleware for Kinde & Redirect to login pageHi, I'm coming from a Kinde competitor, I love Kinde. It has many more advantage for me also how it <LoginLink> / <RegisterLink> causes: "Error: (0 , react__WEBPACK_IMPORTED_MODULE_0__.createContext)"CODE CAUSES ERROR: ```js import { LoginLink, RegisterLink } from "@kinde-oss/kinde-auth-nextjs"; //redirectIs it possible to support dynamic post-login redirects instead of changing the `KINDE_POST_LOGIN_REDKindeSDKError2: Attempting to commit invalid id_token token "undefined" to memoryhi, i am running into this error when running into production and am not sure why because it doesn'tAny new competitions ?Updates on new competitionscustom domaini have configured my subdomain 'https://accounts.coachbots.com/' but it shows privacy error. my otheCan I describe external id usingI want to store additional data and want to access it like a subscription expiring date, and some meIntegrating with React, Vite, URQLhey folks, im trying to intergrate Kinde auth with urql, and I'm running into some issues. first oOrganization branding controlWith Auth0, my Applications have a Logo URL (which would be handled in Organizations it seems with KIs there any hook in React to update user profile (email/firstname/lasname - custom properties)?.Proper use of Organizations as opposed to ApplicationsWe are a multi-tenant SaaS product. Each tenant gets their own Application (client id, secret). In oWe can't find your accountCan this message be skipped, I have disabled "Ask for user first name and last name" so if the user Hey, i want to make a data stored per accounts using kinde typescript, how to do it?I need help, i am going to store a data that saves per user using kinde authentication. can anyone mI want to save data like username, preferred locale, theme for a user in my React AppI don't understand how I can set properties or flags from my react app?Vercel deployment - Invalid callback urlHi team, i just tried to deploy my app to vercel with kinde auth. after follows all the steps on you