Insufficient scope error caused by undefined field in jwtAuthz

[afilazzola]

Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.

Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.

By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.

Description

The field selection from jwtAuthz function appear to be incorrect. I was running into the exact same issue as reported here. Except specifying a customScopeKey did not solve the problem. Looking at the output of the request and the function itself, there is no field on the JWT token called user but that is what the function is requesting. Revising the userKey field to auth corrects the behaviour.

Reproduction

The middleware I was using:
app.get('/userbased', checkJwt, jwtAuthz(['read:ssim']), (req, res) => { console.log('Request', req['auth']); res.send('Role based user authentication is working'); });

The edit I made to the jwtAuthz function
let userKey = 'auth';

Environment

Please provide the following:

• Version of this library used: express-jwt-authz@2.4.1
• Version of the platform or framework used, if applicable: NodeJS & React
• Other modules/plugins/libraries that might be involved: jwks-rsa & express-jwt for JWT authentication

[henryspivey]

I'm getting the same error, "Insufficient Scope" as mentioned above
I am running:
"express": "^4.18.1",
"express-jwt": "^7.7.5",
"express-jwt-authz": "^2.4.1",

As suggested above, doing let userKey = 'auth' fixed the issue.

[luisr-carrillo]

As you commented, customUserKey: 'auth' fixed the issue.

But I have to change my Auth0 API settings, on the API dashboard then 'RBAC Settings' I actived 'Enable RBAC' and 'Add Permissions in the Access Token'.

This is my final config.
export const checkPermissions = (permissions: string[]) => { return jwtAuthz(permissions, { customScopeKey: 'permissions', customUserKey: 'auth' }); };

[danielwagn3r]

I've noticed this error as well. However in my case, I didn't use any additional properties in the JWT for RBAC or other stuff, I just used the standard scope parameter to check for client permissions (in my case it's a m2m use-case).

Didn't get it working with this package and therefore looked at https://github.com/benrei/express-jwt-scope

Used this versions:
"express": "^4.18.1",
"express-jwt": "^7.7.5",
"express-jwt-authz": "^2.4.1",

[bjornol]

Same issue here on versions

"express": "^4.18.1",
"express-jwt": "^7.7.5",
"express-jwt-authz": "^2.4.1"

Solution from afilazzola works.

The problem is caused by the express-jwt v6 upgrade where the decoded JWT payload is now available as req.auth rather than req.user. See migration points (Migration from v6) in the express-jwt description. https://github.com/auth0/express-jwt

[FSou1]

Same.

Make sure you use express-jwt, because express-jwt-authz depends on that package under the hood.