Add All User Permissions to AccessToken in onExecutePostLogin Action

We have a front end application which is handling user login, and receiving an AccessToken. We are then planning on using that AccessToken in multiple API’s in our ecosystem. We would like this AccessToken to include the user’s permissions for each API they might contact.

I created an API in Auth0 Dashboard

And enabled RBAC Settings

Based on the descriptions in the RBAC Settings, i assumed that this would have been enough to add permissions to users AccessToken when they login in on our front end client, however this did not reflect in the token.

I tried creating an Action which would inject the permissions, but it seems i can only inject roles through the actions interface.
Here’s the action’s code:

* Handler that will be called during the execution of a PostLogin flow.
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
exports.onExecutePostLogin = async (event, api) => {
  const ROLES_NAMESPACE = 'https://roles';
  const PERMISSIONS_NAMESPACE = 'https://permissions';
  if (event.authorization) {

    api.idToken.setCustomClaim(`${ROLES_NAMESPACE}`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${ROLES_NAMESPACE}`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${PERMISSIONS_NAMESPACE}`, event.user.app_metadata);

And a screenshot showing it is in the login flow

Not sure if this what I’m attempting to do is possible. I am guessing I am missing some key concept as to why this shouldn’t be done this way if anyone wants to help me understand what i missing lol

Hi @tea-jay,

Welcome to the Auth0 Community!

To add all user permission to the Access Token, you will need to toggle on the Enable RBAC and Add Permissions in the Access Token features in your API"s RBAC settings.

It looks like you have already completed this step, which is all you need to get the permissions added to the access token.

Our How can I add the permissions claim in my Access Token with Rules? FAQ also mentions this.

With that, could you please provide me more details on the login request you made, such as sharing the /authorize request?

This will give me more information on your issue so I can help you get it working.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.