Getting Roles & Groups

jt1 · April 19, 2017, 10:24pm

I’m a bit confused as to what’s happening and for some reason I’m unable to open a ticket, so I’ll ask here.

Last month (March) I was working on migrating my small Stormpath account to Auth0. Using the lock widget with MVC Core everything was working fine - by passing scope: ‘open_id roles groups’ via the Lock widget I could get a user’s roles and groups when they logged in. I just now am revisiting this code and it is no longer working. When a user logs in I get the 5 open_id values but no roles or groups.

I did some searching and I keep seeing discussion about a new OIDC flow, but that the “Legacy” flow is still supported. To my understanding, I am not using the OIDC flow because my Client does not have it enabled and I am not providing an audience in my Lock widget. Can someone please clarify why my code is no longer working, and what I need to change to get roles and groups to come through once again? Thanks.

prashantT · April 20, 2017, 11:09am

Can you see whether you are using an OIDC Conformant client?

Dashboard > Clients > Your client > Advanced settings > OAuth > OIDC Conformant

If it is enabled, you can disable it to go back to the way it was working. However, we do not recommend this. Instead, you can add the non-standard claims by namespacing it through a rule, e.g:

function (user, context, callback) {
  const namespace = 'https://myapp.example.com/';
  context.idToken[namespace + 'groups'] = user.app_metadata.authorization.groups;
  callback(null, user, context);
}

jt1 · April 20, 2017, 8:19pm

I can confirm that my Client is not OIDC conformant, and never has been (to my knowledge). That’s why I’m confused that my original setup is no longer working.

I added the rule but am getting an error stating “Cannot read property ‘groups’ of undefined”. Is the namespace variable the Domain of the Client? Will this rule only work if I enable OIDC conformant on my Client?

jt1 · April 20, 2017, 9:48pm

After reading further here I see that the namespace is just an identifier and not linked to anything specifically.

When trying the Rule in the Auth0 Management page I get an error stating “Cannot read property ‘authorization’ of undefined”… so it seems like it’s having a problem seeing the Authorization extension.

jt1 · April 21, 2017, 12:26am

One final update for those having the same issue. The new Rule was referencing the User’s app_metadata but you have to enable pushing the role & groups to the app_metadata inside the Authorization extension. Everything is working correctly now.