Add user attributes to idToken

Im trying to replicate what an existing rule does, but in an action.
I have a rule that adds a users Identity Provider Attribute called roles to the idToken.

I can see the example docs allows you to add roles from event.authorization.roles, but I am trying to add from the user attributes. The following adds the claim, but the value is null.

image

I can see the user profile doesnt have roles as a property hence the error. Is there a correct way to do this or are the attributes elsewhere.
Thanks

1 Like

Hi @oliver.back,

You can set a custom claim for the user’s roles by using event.authorization.roles:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://test.com/';
  const roles = (event.authorization || {}).roles || [];
  api.idToken.setCustomClaim(`${namespace}roles`, roles);
};

https://auth0.com/docs/actions-event-object

2 Likes

Hi

Thanks, I think event.authorization.roles are roles specific to auth0 applications?
Im using a Azure AD enterprise connection which in turn adds the Azure AD application assigned roles to the users identity provider attributes.
It is this specific attribute called “roles” im looking to add as a claim. Hope that makes sense

thanks!

I see, that makes sense! I am not too familiar with Azure AD, and so I will have to research this. I don’t believe there are any attributes outside of what is described in the event object here: https://auth0.com/docs/actions-event-object?_ga=2.49400101.2047594292.1621254077-1595415333.1607347674&_gac=1.19324234.1620663261.Cj0KCQjws-OEBhCkARIsAPhOkIbhK13acrxZIWhKyPE4GlpGf7ZKmKpxtmuQbD_VcaLmyScFgvNZcmAaAntFEALw_wcB

I’m curious if the roles would be available in the waad item in the event.user.identities array in profileData

I just checked…
It doesnt seem the roles are available in the waad item in event.user.identities.

1 Like

Thanks for testing that. I’ve reached out to the engineering team about this and I will let you know when I hear back.

1 Like

Hi @oliver.back, the engineering team is working to find a solution for this use case in actions. I will keep you updated!

I have received another update from the Engineering team. An issue has been created for this to allow additional root profile fields from the identity provider (eg Azure AD) to be available in Actions. Unfortunately, I don’t have an estimated date on when this will be available, but I will update when available.

3 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.