Overview
This article clarifies whether it is possible to retrieve the user’s Roles and/or Permissions and include them in the JWT Token during the login flow.
Applies To
- Actions
- User Roles
- User Permissions
Solution
A Post-Login Action script is required to add Roles and Permissions to the ID and/or Access Token. Follow the video or steps below for Roles and/or Permissions.
A Post-Login Action script is required to add Roles and Permissions to the ID and/or Access Token.
Adding Roles
- Access the user’s assigned roles using the
event.authorization.rolesproperty within thePost-LoginAction script. Alternatively, retrieve the roles by calling the Management API’s Get a User’s Roles endpoint. - Add the roles as a namespaced custom claim to the ID and/or Access Token. Refer to Create Custom Claims for guidance on namespacing. Example Script:
exports.onExecutePostLogin = async (event, api) => {
const namespace = 'https://my-app.example.com';
if (event.authorization) {
api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
}
}
NOTE: Ensure the user has roles assigned before they log in. To check or assign roles:
- Navigate to Dashboard > User Management > Users
- Select the specific user.
- Select the Roles tab.
- If the user has no roles assigned, select the Assign Roles button and select the desired role(s) from the dropdown list.
Adding Permissions
- Use the Management API in Action to call the Get a User’s Permissions endpoint.
- Add the retrieved permissions as a namespaced custom claim to the ID and/or Access Token.
Related References
- Example Use Case: Add User Roles to ID and Access Tokens with Actions
- Post Login Event Object
- Post Login API Object
- Management API Get Permissions Endpoint
- Management API Get User Roles Endpoint
- How can I use the Management API in Actions?
- How do I make an Axios API call and store it as a custom claim using Actions?