Add Roles and Permissions to the ID Token Using Actions

Overview

This article clarifies whether it is possible to retrieve the user’s Roles and/or Permissions and include them in the JWT Token during the login flow.

Applies To

  • Actions
  • User Roles
  • User Permissions

Solution

A Post-Login Action script is required to add Roles and Permissions to the ID and/or Access Token. Follow the video or steps below for Roles and/or Permissions.

A Post-Login Action script is required to add Roles and Permissions to the ID and/or Access Token.

Adding Roles

  1. Access the user’s assigned roles using the event.authorization.roles property within the Post-Login Action script. Alternatively, retrieve the roles by calling the Management API’s Get a User’s Roles endpoint.
  2. Add the roles as a namespaced custom claim to the ID and/or Access Token. Refer to Create Custom Claims for guidance on namespacing. Example Script:
exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://my-app.example.com';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
  }
}

NOTE: Ensure the user has roles assigned before they log in. To check or assign roles:

  1. Navigate to Dashboard > User Management > Users
  2. Select the specific user.
  3. Select the Roles tab.
  4. If the user has no roles assigned, select the Assign Roles button and select the desired role(s) from the dropdown list.

Adding Permissions

  1. Use the Management API in Action to call the Get a User’s Permissions endpoint.
  2. Add the retrieved permissions as a namespaced custom claim to the ID and/or Access Token.

Related References

4 Likes