Auth0 Home Blog Docs

Add roles to the access token

HI,
I have a simple API, can’t seem to add the role to the access token.
I’m using .net core webapi to develop a webapi with Auth0.
protecting my endpoint like this [Authorize(Roles = “Admin”)] will resolve in code 403.
I guess thats because the role is not a part of the claims.
I also tried adding the roles with a rule , i added a role to context.idToken and i can see it added in the Real-time Webtask Logs then added code on the startup.cs.configservice method to consume that claim (AddOpenIdConnect …) but still nothing.
Any ideas ?
thanks

Hi @liorgal,

Welcome to the Auth0 Community Forum!

Can you confirm you are following the name-spacing guidelines?

Here is an example rule as well:

https://auth0.com › docs › authorization › concepts › sample-use-cases-rules

Hope this helps!

Thanks,
Dan

If you are using the Auth0 asp.net Core Authorization quickstart you need to make sure that you’ve configured the app to recognize your Role claim.

The quick start page has a sample rule and shows the change you need to make in the startup.cs file so that your Role Claim is consumed by the middleware.

Regards

1 Like

Thanks Marcus
I know this article and i did try to implement that code , it doesnt work for me.
could it have anything to do with the fact that i use the Resource Owner Password api to get the access token ?
Thanks

Custom claims can be added to tokens with the password grant.

My test rule to add a role claim to my ID token.

function (user, context, callback) { context.idToken['https://schemas.quickstarts.com/roles'] = user.app_metadata.roles; callback(null, user, context); }

In the startup.cs file I define that role so that it’s consumed by the middleware

options.TokenValidationParameters = new TokenValidationParameters { NameClaimType = "Role", RoleClaimType = "https://schemas.quickstarts.com/roles" };

My Role defined as a claim on my returned ID token:

{ "https://schemas.quickstarts.com/roles": [ "user" ], "nickname": "marcusbaker1"....

Verify that your ID token has your role by unpacking the token at jwt.io

You can also call the /userinfo endpoint and you should get the same claims back that are defined on your ID Token.

Adding some additional context:

The authorization quickstart that I linked previously is using cookies, as such the ID token contains the role claim that is being consumed.

Since you mentioned that you are doing a password grant, I suspect that you are doing jwt bearer authentication so I’m adding the steps to make this work with jwt bearer auth as well.

Auth0 asp .net core authorization quickstart (this one uses jwt bearer auth)

Change your rule to attach your custom role claim to your accessToken

function (user, context, callback) { context.accessToken['https://schemas.quickstarts.com/roles'] = user.app_metadata.roles; callback(null, user, context); }

Add the token validation for your role to the jwtbearer options in startup.cs:

        }).AddJwtBearer(options =>
        {
            options.Authority = domain;
            options.Audience = Configuration["Auth0:ApiIdentifier"];
            // Set the correct name claim type
            options.TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "Roles",
                RoleClaimType = "https://schemas.quickstarts.com/roles"
            };

        });`

In your controller(s) add the required roles as you previously did

[Authorize(Roles = "admin")]

I tested this with a password grant and it works.
Let me know if you have additional questions.

1 Like

Hi Marcus,
Thanks to your great answers i got it to work.
thanks!

2 Likes