Actions to get permissions

hi everyone.

I have the following piece of code in an Action that is triggered during post-login:

exports.onExecutePostLogin = async (event, api) => {
  var map = require('array-map');

  var ManagementClient = require('auth0').ManagementClient;
  var management = new ManagementClient({
      domain: event.secrets.domain,
      clientId: event.secrets.clientId,
      clientSecret: event.secrets.clientSecret
  });

  var params = { id: event.user.user_id, page: 0, per_page: 50, include_totals: false };
  console.log('1');
  management.getUserPermissions(params, 
    function (err, permissions) {
      console.log('2');
      if (err) {
        // Handle error.
        console.log('err: ', err);
      } else {
        console.log('3');
        var permissionsArr = map(permissions.permissions, function (permission) {
            return permission.permission_name;
        });
        console.log('4');
        api.accessToken.setCustomClaim("https://abc.com/access_actions", permissions.Arr.join(" "));
        console.log('5');
      }
    }
  );
};

It does absolutely nothing. Can anyone spot what is wrong? I’m new to writing rules…the only thing I see in my logs is the output from console.log(‘1’).

By the way, I assume that domain should be “dev-xxxxxxxx.xx.auth0.com”, right? No need to specify https or http etc. and no trailing forward slash.

I’ve manually called the management API using curl, the same client-id and client-secret, and it works just fine. I can get the results I want. So I know that part is correct (I’ve also tried hard coding them directly in the action).

Plus, I can see in my logs that the credentials are successfully sent across to the management API.

Nevermind. I managed to fix the issue.

FWIW, i changed the code to

exports.onExecutePostLogin = async (event, api) => 
{

  var map = require('array-map');

  var ManagementClient = require('auth0').ManagementClient;

  var management = new ManagementClient

  (

    {

      domain: event.secrets.domain,

      clientId: event.secrets.clientId,

      clientSecret: event.secrets.clientSecret

    }

  );

  var params = { id: event.user.user_id, page: 0, per_page: 50, include_totals: false };

  console.log('1');

  let userPermissions = await management.getUserPermissions(params);

  var permissionsArray = map(userPermissions, function (permission) 

    {

      return permission.permission_name;

    }

  );

  api.accessToken.setCustomClaim("https://abc.com/access", permissionsArray.join(" "));

};
2 Likes

Thanks for posting a solution!

I’m back. Unfortunately, the same code doesn’t work in a M2M flow. :frowning:

exports.onExecuteCredentialsExchange = async (event, api) => {

  //var map = require('array-map');

  var ManagementClient = require('auth0').ManagementClient;

  var management = new ManagementClient

  (

    {

      domain: event.secrets.domain,

      clientId: event.secrets.clientId,

      clientSecret: event.secrets.clientSecret

    }

  );

  var params = { client_id: event.client.client_id };

  let clientObject = await management.getClient(params);

  console.log(clientObject);  

};

I’m seeing {“error”:“server_error”,“error_description”:“Timeout awaiting ‘response’ for 10000ms”} in curl.

What am I doing wrong? Basically I am trying to get all scopes given to a M2M application and insert it into a custom claim. I assume that’s in the getClient api call?

1 Like

You know what else is strange? When I manually call the mgmt api using curl, i see this:

{“statusCode”:403,“error”:“Forbidden”,“message”:“Insufficient scope, expected any of: read:clients,read:client_keys,read:client_credentials,read:client_summary”,“errorCode”:“insufficient_scope”}

I don’t see “read:client_summary” in the web console as a permission I can add. I even tried adding ALL the available permissions - I still see the same error.

Are you sure you have the correct domain?

You may need to add it manually via the management API.


Also, how often are you expecting to make this call? You could run into rate limits pretty quickly. It looks like you are planning on adding permissions to each user’s token, and that wouldn’t be advisable.

Yup I see the rate limit for the management api is quite low and I will easily breach that threshold. I have a different approach to achieving what I need.

Thanks.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.