We have a front end application which is handling user login, and receiving an AccessToken. We are then planning on using that AccessToken in multiple API’s in our ecosystem. We would like this AccessToken to include the user’s permissions for each API they might contact.
I created an API in Auth0 Dashboard
And enabled RBAC Settings
Based on the descriptions in the RBAC Settings, i assumed that this would have been enough to add permissions to users AccessToken when they login in on our front end client, however this did not reflect in the token.
I tried creating an Action which would inject the permissions, but it seems i can only inject roles through the actions interface.
Here’s the action’s code:
/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
const ROLES_NAMESPACE = 'https://roles';
const PERMISSIONS_NAMESPACE = 'https://permissions';
if (event.authorization) {
api.idToken.setCustomClaim(`${ROLES_NAMESPACE}`, event.authorization.roles);
api.accessToken.setCustomClaim(`${ROLES_NAMESPACE}`, event.authorization.roles);
api.accessToken.setCustomClaim(`${PERMISSIONS_NAMESPACE}`, event.user.app_metadata);
}
};
And a screenshot showing it is in the login flow
Not sure if this what I’m attempting to do is possible. I am guessing I am missing some key concept as to why this shouldn’t be done this way if anyone wants to help me understand what i missing lol