Adding Roles to ID Token with password grant for a Trusted Application

araje · March 11, 2024, 5:57am

I have configured a server side application in Auth0 (Application Type = Regular Web app). I am using this for a trusted application that needs to use the Password grant. Both ID and access Tokens are issued as expected using

“grant_type” : “http://auth0.com/oauth/grant-type/password-realm”

I need to add roles to the user using Flows and Actions. I am not able to find a suitable trigger that I can use to add roles to the token. The Post Login Flow which has the trigger onExecutePostLogin does not trigger.

What is the best way to add roles to tokens issued using the password grant type?

tyf · March 14, 2024, 12:04am

Hey there @araje !

Hmm that’s odd! The password grant type (password-realm) as well should trigger a post login action. I just did a simple test using the password-realm grant type with the following action code - The roles were indeed added to the access token:

exports.onExecutePostLogin = async (event, api) => {

  const namespace = "https://example.com" 
  
      if (event.authorization) {
        api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles )
    }
}

araje · March 14, 2024, 2:30pm

Thanks for your response, I have almost exactly the same action/trigger

exports.onExecutePostLogin = async (event, api) => {
const namespace = ‘https://title-transfer-api’;
if (event.authorization) {
api.idToken.setCustomClaim(${namespace}/roles, event.authorization.roles);
api.accessToken.setCustomClaim(${namespace}/roles, event.authorization.roles);
}
};

Here are my specific configurations

I have 2 applications one is a SPA and another a server side app
The action triggers fine for the SPA and the roles are included in the tokens
Its the app configured as ‘Regular Web’ that does not include the permissions in the tokens

Would that make any difference? Do actions get triggered on only one app?

tyf · March 14, 2024, 8:41pm

No problem, happy to help where I can!

As long as there is a user log in involved (not client credentials) in the Web app flow then it should also be triggering the Action. If you go to Monitoring → Logs in your dashboard you should be able to see any successful logins. Within those events will be details on the Actions run (if any). This might be a good place to start!

araje · March 19, 2024, 12:06am

Thanks for pointing me to the logs. I do see an entry for a successful login and that the action “Add user roles to Token” is getting triggered. However, the access and id tokens returned do not have the roles added