Problem statement
Auth0’s actions provide access to an authorization object on the event, which is documented to contain the roles assigned to the user. However, I need access to the permissions associated with the roles without using the API Management client, primarily to avoid network overhead and potentially being restricted by rate limits associated with calls to the API Management endpoints.
There is a setting within the API resource for “Add[ing] Permissions to the Access Token” that we have toggled on. When the access token is received from Auth0, it has these permissions. When are the permissions appended to the access token? Can I access them within an Action so I can enhance them without needing to call the API Management endpoints?
Solution
Unfortunately, a user’s permissions are not currently accessible in Post-Login Actions.
If you would like to see this functionality in a future release of Auth0, we would encourage you to submit a feature request using this form: Auth0: Secure access for everyone. But not just anyone.. This is a direct line to our Product team and the best way to communicate your needs.