Adding a simple Admin identifier to access token

KINGKENNA · November 27, 2023, 9:53pm

Hello, I am new to Auth0 and am getting a little confused between all the terms and concepts.
I want to add an admin identifier to certain user’s access tokens. My Spring application will extract this information from the access token and use its presence to allow access to certain resources.

Should this identifier be a role, permission, scope or a claim?
I have seen Role-based access control mentioned in a few places is this relevant to what I am trying to do?

Is below a valid approach or am I missing something:

Add my created ‘ADMIN_ROLE’ to certain users using UI. This will contain no permissions ( it says ’ no apis found’ when I tried)
Create a custom action as part of the login flow which will add all role names to a user’s action token when they log in.
extract this in my backend application

Any help is appreciated, I feel like I am drowning in information.

tyf · November 28, 2023, 12:13am

Hey there @KINGKENNA welcome to the community!

You’re definitely on the right track looking into using RBAC - If enabled by your API you can have permissions automatically added to a user’s access token as a custom claim. Typically, the permissions in an access token are enough to infer the role, but you can also add a users roles to an access token in a custom claim using a Post Login Action. An example of this might be:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://myapp.example.com/';
  const assignedRoles = (event.authorization || {}).roles;

  if (assignedRoles && assignedRoles.length > 0) {
    api.accessToken.setCustomClaim(`${namespace}roles`, assignedRoles);
  }
};

Your backend will have access to these claims (roles, permissions) and can make authorization decisions accordingly.

mraible · November 28, 2023, 1:52am

@KINGKENNA Hopefully @tyf’s answer helped. If you’re using Spring Boot, our RBAC in Spring Boot lab might help. It shows how to use the Okta Spring Boot starter to easily map your roles to Spring Security authorities. You just need one property to make it work with the above example:

okta.oauth2.groupsClaim=https://myapp.example.com/roles

tyf · November 29, 2023, 1:44am

Woo! Thanks @mraible

KINGKENNA · December 5, 2023, 9:12am

Thanks for reply’s, I added a post login action as suggested but it does not seem to be triggered when a user logs in. My access token/id token do not contain any roles.


exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'test123';
  if (event.authorization) {
    console.log('test!!')
    console.log(event.authorization.roles)
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
  }
}

It is deployed and added to my login flow. I get no logs showing up when using the Real-time Webtask Logs Extension. The logs display when I test run my action but not in the actual login flow.

tyf · December 22, 2023, 11:38pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.