Action Login Flow - Not able to enrich the access token with the user's permission

Context: Currently, we use Auth0 Authorisation extension to manage RBAC. This extension provides a rule that is executed prior to any other rules in the Auth Pipeline to update the user’s app metadata with all RBAC information (groups, roles, permissions). Therefore, picking the user’s permissions to add custom claims to the access token is straightforward.

Constraint: Rules will reach the end of life on November 18, 2024. All current rules shall be migrated to Action.

Impact: Auth0 Authorization extension uses a rule to update the user’s app metadata with the RBAC information. There is no information about a possible update of this extension for using actions instead of rules. Therefore, this extension is deprecated and it will be removed from Auth0 at the end of life of the rules.

Concern: With RBAC managed with the Auth0 Authorization core, there is no reliable way to get the user’s permission in the Action Login Flow to create custom claims.
There are some solutions suggested by some posts on the community forum but none of them are suitable such as:

  • Using the Auth0 Management API endpoint to get the user’s permission within an action to create custom claims. This solution is not applicable in production because the Auth0 Management API for getting the user’s permissions has a low rate limit.
  • Putting the user’s permissions inside the user’s app metadata to make them available in an action. This solution is not suitable due to the synchronization issue between the user’s permissions set in Auth0 Authorization core and the ones set manually in the user’s app metadata. When an RBAC policy changes, this one shall be spread to all users one by one.

Request for support: Are there any solutions to get the user’s permissions in an action within an action logon flow to create custom claims for the access token in a reliable way?

Question: In the event object, onExecutePostLogin function parameter, there is an object named authorization with an array containing the roles assigned to the user. Why not add another array containing the user’s permissions associated to the user’s role?

Note: This concern is a blocking point in the migration from rules to actions.

Hi @nam.liberty,

Using the Authorization Core for RBAC has a guaranteed way to append the user’s permissions to the access token.

Specifically, there is an Add Permissions in the Access Token toggle that can be enabled. This setting can be found in your API’s settings towards the bottom of the page.

With that, I recommend managing your RBAC with the Authorization Core moving forward.

Please let me know if you have any questions.


Hi Ruben,

The RBAC Settings are configured in the same way than what you suggested:
RBAC Settings:

  • Enable RBAC: True
  • Add Permissions in the Access Token: True

When using the Auth0 Management API:

  • “https://{tenant}” endpoint - the received access token contains the permissions.
  • “https://{tenant}{user Id}/permission” endpoint - The assigned permissions are returned.

When performing a login, the received access token does not contain any user’s assigned permissions. This one is empty. And this is the concern.

Best regards

Hi @nam.liberty,

Thanks for following up.

Can you please confirm if you have passed the audience query parameter in the login URL?

And, can you please confirm if you have granted your Application API authorization by assigning the appropriate permissions?


Hi Rueben,

Thank you for your support.

Please find below the answer to your questions.

Question #1: Can you please confirm if you have passed the audience query parameter in the login URL?

The login URL is currently handled by the authentication library used by the application according to the programming language used:

  • In the current test regular web application in Node.JS, @hapi/bell library is used to handle the authentication strategy and this one does not provide any ‘audience’ option for Auth0 or for other identity providers.
  • In the regular web application sample in Python provided in the Quickstart tab of the application on Auth0 portal. But in this sample, there is no setting option for ‘audience’ for the authlib library used in this application sample.

It seems that this audience query parameter in the login URL is quite new that’s why this one is not present in the used authentication libraries…

Using the login URL directly in a browser has different behaviour.
&client_id={Client ID}
&redirect_uri={URL Callback}
At the beginning, it works meaning that the returned access token contains the expected permissions. But quickly an HTTP Code 500 Internal Server Error is generated. I’m wondering if behind the scene, the process uses Auth0 Management API and I’m falling in the rate limit. Do you known what is behind this HTTP Code 500 in this context?

Question #2: can you please confirm if you have granted your Application API authorization by assigning the appropriate permissions?
Yes, the appropriate permissions are assigned to the Application API.

Thanks in advance.

Best regards.

1 Like

Hi Rueben,

Do you have any update on this point?

I have perform a test by adding audience query parameter to the login URL and I can get the user permission. But the working behaviour is not consistence. Trying to perform via this technique several login attempts drives to HTTP 500 Internal server error.

The interaction with Auth0 is done via existing libraires such as @hapi/bell libray for Node.js or authlib library for Python used in the Python application example from Auth0 platform. And none of these libraries have an audience option in their configuration.
Moreover in the current Auth0 Authentication API documentation, audience option is not part of GET authorize endpoint. Is audience option part of ADDITIONAL_PARAMETERS?

Thanks advance

Hi @nam.liberty,

Here is an example to do this in Auth0 Node.js express SDK:

    authorizationParams: {
      response_type: 'code',
      scope: 'openid profile email read:reports',
      audience: 'https://your-api-identifier',


How did you trigger the 500 error code? Was it when you tried using the access token? And are you sure you are hitting the rate limit, if so, could you confirm the error message you saw?

Hi @nam.liberty,

See our Call Your API Using the Authorization Code Flow documentation on this. It states that the audience parameter must be passed if you want to call your API.

And yes, the audience parameter is part of the ADDITIONAL_PARAMETERS section. I will make a note of this so that our teams can review the clarity of our documentation.


Hi Rueben,

Thank you very much for your answer.
We need to go through all our applications to figure out how to set audience options with the login library/package used by each.

Best regards

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.