Add permissions to access token in actions (September 2023, rules are deprecated)

I’ve used Rules heavily to populate access token some extra information such as email and permissions. Yesterday I’ve noticed that Rules are deprecated and I need to switch to Actions. I’ve added email to the token easily with api.accessToken.setCustomClaim(ns, event.user.email); but I’m struggling with adding permissions to it. The instructions I found on this forum and instructions that provides ChatGPT4 tell me that I need to use Management API to make an additional request. Part of the code that I copied and pasted from the forums looks like that:

As you can see event.secrets does not provide the properties such as clientSecret and if you inspect the TypeScript definitions you’re going to notice that Secrets interface is actually completely empty:

image

Permissions is a critical part of multiple apps I work on and I’m trying to find out:

  1. Permissions is one of the core features of Auth0, why there is no easy way to get them?
  2. Why secrets object is gone if Actions allow you to call Management API? It’s not allowed anymore? Should I hard-code the secrets by myself inside variables loosing some part of flexibility and probably security?
  3. If I still use Management API I’m going to get rate limit errors that need to be handled (I don’t know how to do that yet), is there any way to avoid using it at all?
  4. Why it’s becoming harder and harder to work with permissions? Are they going to disappear soon?
  5. Maybe I don’t understand something (the purpose of roles and permissions, the way they need to be received) and I need to find an alternative approach? The only but horrible alternative I can see is to call Management API on every internal API request to receive an actual list of permissions, but obviously I’m going to hit the rate limit error much sooner. Please direct me if I do it wrong.

Unfortunately I can’t recommend to use Auth0 to my clients since one of the core and important features is not available anymore. I hope you can help me to find a solution that allows to identify user’s permissions without getting an additional source of problems such as API limits that I haven’t got while I was using Rules. Thank you.

Hi @finom

You can add permissions in the access token by simply clicking the toggle ON for the “Add Permissions in the Access Token” setting. Please let me know if you need any clarification or if I can help you understand this feature.

I’m not sure what you mean by “Why secrets object is gone”. The secrets object is a customizable store for sensitive data, and you can add whatever data you want in a secret. It is a perfect place to store a client ID and secret. You must add these properties (client_id, client_secret), they are not automatically configured in an Action.

See our documentation about how to write your first action.

See answer #1.

No. Can you give an example of how they have changed?

I would not suggest calling the managment API on every authentication. This is not a scalable pattern.

As for your first questions, they are addressed in our documentation (how secrets work, adding permissions to the AT). I would start by taking a look at our docs.

https://auth0.com/docs/get-started/apis/enable-role-based-access-control-for-apis

Rules would have had the same issues with the management API rate limits. Management API calls from rules are still subject to rate limits.

2 Likes

You can add permissions in the access token by simply clicking the toggle ON for the “Add Permissions in the Access Token” setting. Please let me know if you need any clarification or if I can help you understand this feature.

:man_facepalming: my bad… I was frustrated and too emotional after spending a lot of time on working with Actions to achieve a small thing (get permissions). When the system has problems it’s hard to identify if it’s your bad or system’s.

I’m not sure what you mean by “Why secrets object is gone”.

They’re not available at Actions. The Secrets interface is empty, is there any way to enable it? All recommendations how to get permissions thru Management API in Actions aren’t doable because you have no way to get the credentials, at least until you enable some feature as with permissions.

No. Can you give an example of how they have changed?

I was using Rules for that, so yeah, that’s still my bad.

You can add a secret by clicking the key icon in the left hand menu bar, and selecting “Add Secret”.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.