Accessing users role post-login

I have been trying to implement RBAC to my application.
I have an API and a Frontend, the APi has access to the management API but the frontend is a typical NextJs application.

I am trying to get the currently logged in users role in the middleware through the getSession() hook.

I have added the roles to the accesstoken and the idtoken, when I log in and console log those values the roles have indeed been added to the tokens correctly. So I have set the action correctly and everything.
What I don’t get is why can’t I access it in the user object? Am I supposed to parse the jwt token myself?
I’m not sure what is left to check.

  1. Created the roles and added them to my user.
  2. Created a action and assign it to post-login trigger via auth0 dashboard.
  3. Initialize the auth0 sdk within nextjs:
import { Auth0Client } from "@auth0/nextjs-auth0/server"

export const auth0 = new Auth0Client({
    authorizationParameters: {
        audience: process.env.AUTH0_AUDIENCE,
        scope: 'openid profile email roles'
    },
})
  • note that the audience comes from the same api which I’m using for my server.
  1. Create the middleware and fetch the roles for the user.
import {NextRequest, NextResponse} from "next/server"

import { auth0 } from "./lib/auth0"

export async function middleware(request: NextRequest) {
    const authRes = await auth0.middleware(request)
    if (request.nextUrl.pathname.startsWith("/auth")) {
        return authRes
    }
    
    const session = await auth0.getSession()
    if (!session){
        return NextResponse.redirect(new URL("/auth/login", request.nextUrl.origin))
    } else {
        const roles: string[] = session?.user['https://your-app-name.com/roles'];
        console.log(roles)
        console.log(session.user)
        console.log(session.tokenSet.accessToken)
    } 
}

Am I missing something crucial in the flow?

        console.log(roles)
        console.log(session.user)
        console.log(session.tokenSet.accessToken)

Forgot to add:

  1. The roles const comes off as undefined.
  2. The user object does not have my namespace.
  3. When I parse the accesstoken I get the namespace with the roles for the user.

Hi @RagnarSmari

Welcome to the Auth0 community!

How are you setting the roles in an action? You would assign the roles as such:

exports.onExecutePostLogin = async (event, api) => {

 api.idToken.setCustomClaim("https://randomtest.org/roles", event.authorization.roles)

}

By any chance, do the naming convention for the namespace when setting the custom claims using a PostLogin Action go against our restrictions mentioned in this documentation?

Otherwise, could you try assigning the roles like this:

  const session = getSession(req, res);
  
  console.log(session?.user['{{YOUR_NAMESPACE}}']

Also, session.user in this case should contain the custom claims you have set using the PostLogin Action.

Alternatively, you can try to retrieve this data using the useUser() hook mentioned in the Github Documentation.

Let me know if you have any other questions or if the solutions above were not helpful!

Kind Regards,
Nik

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.