Rules for Authorization not working

Hi,

I followed the set roles template and adjusted it a bit to add authorization under app_metadata:

function (user, context, callback) {
  user.app_metadata = user.app_metadata || {};
  // You can add a Role based on what you want
  // In this case I check domain
  var addRolesToUser = function(user, cb) {
    if (user.email.includes('@mydomain.com')) {
      cb(null, 'admin']);
    } else {
      cb(null, 'user']);
    }
  };

  addRolesToUser(user, function(err, roles) {
    if (err) {
      callback(err);
    } else {
      user.app_metadata.roles = roles;
      user.app_metadata.authorization = {};
      user.app_metadata.authorization.roles = roles;
      auth0.users.updateAppMetadata(user.user_id, user.app_metadata)
        .then(function(){
          callback(null, user, context);
        })
        .catch(function(err){
          callback(err);
        });
    }
  });
}

The goal is to authorize users with my company’s domain as admins. In .NET, User.IsInRole(“admin”) only seems to work if I install the authorization extension and manually add a user to the role. Is there something I can do differently to enable rule-based authorization?

You can obtain the roles by making a call to the /tokeninfo endpoint, which will return the user info, including the app_metadata and roles.

If you’d like the scope to be added to the id_token upon login, you will need to add the custom claim in the new namespaced format: