Access User Permissions in Post-Login Action

Feature: Make user’s permissions accessible via Post-Login Action if RBAC is enabled.

Description: It would be very helpful if it were possible to access the authenticating user’s Permissions during a Post-Login Action without having to make an additional API call. The permissions are returned in the Token if RBAC is enabled so they are definitely being accessed. Exposing permissions in a property such as event.authorization.permissions would be a great feature that could eliminate some API calls.

Use-case: My client’s software library is configured to use .NET Core’s Authorize attribute and looks at the authenticated user’s Roles to determine if they can access endpoints in the API. I am in the process of implementing Auth0 authentication, a new Authorization handler and updating code in their library. For backward compatibility after I have implemented the Auth0 authentication in the non-updated applications, I am required to add an additional Role claim to the Access token. If I were able to access the Permissions in the Post-Login action, I could simply duplicate those into the roles. However since that isn’t available, I have to make separate calls to retrieve an access token and retrieve Permissions for the authenticating user. I am using the Authorization Code flow so when a user log in, I have API calls retrieving Permissions and then another API call to redeem the Auth code for the user’s token.

Hi @jharris,

Thank you for your feedback request!

Please don’t forget to upvote this thread so we can prioritize its implementation based on the highest votes!

Cheers,
Rueben

That would be great. Currently it is confusing to figure out how to get the user permissions in a SPA. There are a lot of resources out there, some outdated, some only focusing on getting roles. It would be intuitive if one could add the permissions to the id_token via an custom action.

I am for now using the solution from this member: How to add user permissions to ID token - #7 by deanb

“The workaround is to put the permissions on the access token, then open up an endpoint on your server that returns the permissions that are on the access token, then make a request to the new endpoint from your SPA to get the permissions.”

1 Like