Access-token is undefined after adding roles after post-login action

Actions
,
#1

this is my post-login action

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://chats.com';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
  }
};

now if you try to access token it shows it is undefined.

export const config = {
	authRequired: false,
	auth0Logout: true,
	secret: "some client id",
	baseURL: "http://localhost:8080/",
	clientID: "client-id",
	issuerBaseURL: "https://url.auth0.com",
};

app.use(
	auth({
		...config,
		routes: {
			login: false, // https://github.com/auth0/express-openid-connect/blob/master/EXAMPLES.md#3-route-customization
		},
	}),
);


app.get('/login', (req, res) => {
	if (req.oidc.isAuthenticated) {
		console.log(req.oidc.user);
		res.redirect('/chat');
	} else {
		res.oidc.login({ returnTo: '/chat' });
	}
});

router.get('/api/users/currentuser', requiresAuth(), async (req, res) => {
	console.log(req.oidc.idToken); // getting id-token. decoded version is shown below.
	console.log(req.oidc.accessToken); // undefined
	res.status(200).send({ user: req.oidc.user });
});

this is my decoded idToken.

{
  "https://chats.com/roles": [
    "guest ",
    "user "
  ],
  "given_name": "pranshu",
  "family_name": "shah",
  "nickname": "pranshu.shah23",
  "name": "pranshu shah",
  "picture": "https://lh3.googleusercontent.com/a/AATXAJx6USgeS7fQB3WerDM0cSbZH8wmhaTxzPXjbdl3=s96-c",
  "locale": "en",
  .... other infos
}
  • one way to add authorization permissions is through the authorizationParams object but one issue is that we don’t role of the user before login. so how can we generate access tokens based on role
  • in short, what I want to do is I want to have an access token based on the role of the user. so i can call role enabled custom API.
#3

Hi @pranshushah,

Welcome to the Auth0 Community!

First, could you please clarify if you have set a role on the user before calling your Post-Login Action script?

If not, you will need to have previously set a role on the user’s profile for the script to append a value in the custom claim of your access token.

This can be done on the user’s profile in the Auth0 Dashboard or using the Management API Assign roles to a user endpoint.

If applicable, there is the option of setting roles for the user when they sign up to your application using an Action.

With that said, I have tested this myself and can confirm that the access token produces the roles as a custom claim.

Please let me know how this goes for you.

Thanks.

#4
  • I have an Express-based web app application where as soon as a user with a guest role pays for our service we want to assign him a premium-user role. for that, I am using this link.
  • what I want to do is that I want this user to have the latest access token based on the latest permission. so I can use a new access token (req.oidc.accessToken.access_token) for RBAC-based API.
  • and also want to change the payload of id-token and new access token. because at the time of login I am using post-login action to add roles into the payload of id-token and access-token.
  • tech stack express - express-openid-connect (traditional web-app).
    code for my post-action login and auth config.
const namespace = 'https://chats.com';
  if (event.authorization) {    
      api.idToken.setCustomClaim(`${namespace}/roles`,event.authorization.roles);
      api.accessToken.setCustomClaim(`${namespace}/roles`,event.authorization.roles);    
  }

export const config = {
	authRequired: false,
	auth0Logout: true,
	secret: 'secret',
	baseURL: 'http://localhost:8080/',
	clientID: 'client_id',
	issuerBaseURL: 'https://something.auth0.com',
};
app.use(
	auth({
		...config,
		attemptSilentLogin: false,
		routes: {
			login: false, 
		},
		clientSecret: 'client-secret',
		authorizationParams: {
			response_type: 'code',
			response_mode: 'form_post',
			audience: 'http://localhost:8080/api/message',
		},
	}),
);
#5

Hi @pranshushah,

Thank you for creating an additional Community Topic on RBAC.

Because this is related to your previous Topic, I am going to merge them together for consistency.

Thank you!

1 Like
#6

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.