Access-token is undefined after adding roles after post-login action

pranshushah · January 22, 2022, 1:08pm

this is my post-login action

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://chats.com';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
  }
};

now if you try to access token it shows it is undefined.

export const config = {
	authRequired: false,
	auth0Logout: true,
	secret: "some client id",
	baseURL: "http://localhost:8080/",
	clientID: "client-id",
	issuerBaseURL: "https://url.auth0.com",
};

app.use(
	auth({
		...config,
		routes: {
			login: false, // https://github.com/auth0/express-openid-connect/blob/master/EXAMPLES.md#3-route-customization
		},
	}),
);


app.get('/login', (req, res) => {
	if (req.oidc.isAuthenticated) {
		console.log(req.oidc.user);
		res.redirect('/chat');
	} else {
		res.oidc.login({ returnTo: '/chat' });
	}
});

router.get('/api/users/currentuser', requiresAuth(), async (req, res) => {
	console.log(req.oidc.idToken); // getting id-token. decoded version is shown below.
	console.log(req.oidc.accessToken); // undefined
	res.status(200).send({ user: req.oidc.user });
});

this is my decoded idToken.

{
  "https://chats.com/roles": [
    "guest ",
    "user "
  ],
  "given_name": "pranshu",
  "family_name": "shah",
  "nickname": "pranshu.shah23",
  "name": "pranshu shah",
  "picture": "https://lh3.googleusercontent.com/a/AATXAJx6USgeS7fQB3WerDM0cSbZH8wmhaTxzPXjbdl3=s96-c",
  "locale": "en",
  .... other infos
}

one way to add authorization permissions is through the authorizationParams object but one issue is that we don’t role of the user before login. so how can we generate access tokens based on role
in short, what I want to do is I want to have an access token based on the role of the user. so i can call role enabled custom API.

rueben.tiow · January 24, 2022, 7:53pm

Hi @pranshushah,

Welcome to the Auth0 Community!

First, could you please clarify if you have set a role on the user before calling your Post-Login Action script?

If not, you will need to have previously set a role on the user’s profile for the script to append a value in the custom claim of your access token.

This can be done on the user’s profile in the Auth0 Dashboard or using the Management API Assign roles to a user endpoint.

If applicable, there is the option of setting roles for the user when they sign up to your application using an Action.

With that said, I have tested this myself and can confirm that the access token produces the roles as a custom claim.

Please let me know how this goes for you.

Thanks.

pranshushah · January 24, 2022, 5:26am

I have an Express-based web app application where as soon as a user with a guest role pays for our service we want to assign him a premium-user role. for that, I am using this link.
what I want to do is that I want this user to have the latest access token based on the latest permission. so I can use a new access token (req.oidc.accessToken.access_token) for RBAC-based API.
and also want to change the payload of id-token and new access token. because at the time of login I am using post-login action to add roles into the payload of id-token and access-token.
tech stack express - express-openid-connect (traditional web-app).
code for my post-action login and auth config.

const namespace = 'https://chats.com';
  if (event.authorization) {    
      api.idToken.setCustomClaim(`${namespace}/roles`,event.authorization.roles);
      api.accessToken.setCustomClaim(`${namespace}/roles`,event.authorization.roles);    
  }

export const config = {
	authRequired: false,
	auth0Logout: true,
	secret: 'secret',
	baseURL: 'http://localhost:8080/',
	clientID: 'client_id',
	issuerBaseURL: 'https://something.auth0.com',
};
app.use(
	auth({
		...config,
		attemptSilentLogin: false,
		routes: {
			login: false, 
		},
		clientSecret: 'client-secret',
		authorizationParams: {
			response_type: 'code',
			response_mode: 'form_post',
			audience: 'http://localhost:8080/api/message',
		},
	}),
);

rueben.tiow · January 24, 2022, 8:03pm

Hi @pranshushah,

Thank you for creating an additional Community Topic on RBAC.

Because this is related to your previous Topic, I am going to merge them together for consistency.

Thank you!

system · February 8, 2022, 5:26am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Post Login Action not Placing Role in Token Help	7	2453	April 22, 2022
Update access token after changing the role Help access_token , roles	1	3013	January 24, 2022
Roles not being sent with id token Help id_token , roles , login	1	1670	October 11, 2022
I am unable to add the role which was added during the first login to the access token Help management-api , roles	3	866	June 12, 2024
Add Roles/Claims to the access token via Login Flow Help login-experience , new-universal-login-experience	2	272	April 15, 2024

Access-token is undefined after adding roles after post-login action

Related Topics