Auth0 Home Blog Docs

Assigning default role(s) to new users

auth0
roles
#1

I’d like to assign a Role to users that sign up with my application.

My setup is a SPA that uses the WebAuth API. I have user roles and scopes coming from various APIs defined in the Auth0 dashboard. On the frontend, the scopes come from the accessToken.permissions field. I am not using the authorization-extension.

At the moment, I have to manually assign roles to users that sign up for my application. This is obviously not optimal because it’s a manual process. How could I assign roles to new users?

I’ve looked through all the questions and documentation and I can’t find a way to do this. I’ve also tried using the “Set roles to a user” Rule but I haven’t been able to make it work (aka the accessToken.permissions never reflect my changes.

Help!

Add role to user via node-auth0 / Management API in Rule
#2

Hello, have you found a solution for this problem?
This one looks promissing however it uses extension and I’m not sure yet will it work in our case: https://jakob-ekelhart.com/how-to-add-default-role-to-auth0-user/

#3

Hi @RandomStranger! I haven’t found a solution that works without refactoring everything to use the Authorization extension. The article you posted looks helpful though, thank you!

#4

Hi @deammer

I have managed to pull this off by leveraging the management API from within my rule.

From within the rule you’ll need to do a client credentials grant - to get a token that has access to the management API.

Here is an example of that:

function getAccessToken() {
    return axios.post(
      "https://" + auth0.domain + "/oauth/token",
      {
        grant_type: "client_credentials",
        client_id: configuration.MGMT_API_ID,
        client_secret: configuration.MGMT_API_SECRET,
        audience: "https://" + auth0.domain + "/api/v2/"
      },
      { headers: { "content-type": "application/json" } }
    );
  }

With that access token, you can assign roles to users. Here is a sample of that:

 function assignRole(userId, roleId, accessToken) {
    return axios.post(
      `https://${auth0.domain}/api/v2/users/${userId}/roles`,
      { roles: [roleId] },
      {
        headers: {
          "cache-control": "no-cache",
          authorization: `Bearer ${accessToken}`,
          "content-type": "application/json"
        }
      }
    );
  }

The current rule authorization context (context.authorization.roles) will not have the newly assigned role(s), but you can mutate the context so any subsequent rules will have the correct roles within the authorization context.

context.authorization.roles.push(ROLE_NAME);

The context will also be missing permissions associated with that role - not sure how to handle that…

Hope this helps!

1 Like
#5

Thanks for sharing, @harmoN! That’s an interesting way to mutate the authorization context, but it doesn’t do exactly what I want.

I’d like to permanently (aka not just within the context of Rules) assign roles to users and thus grant them the related API scopes.

Here’s an example setup:

  • an Auth0 SPA that handles authentication
  • an API called “Product API” with the scopes read:product, create:product, delete:product
  • a “Viewer” role that has the read:product permission
  • an “Admin” role that has all the permissions

I’d like to automatically assign the “Viewer” role to everyone that signs up for my app and thus give them the read:product permission (this is a simplified use case).

#6

I am only mutating the context so that initial login works, and the first token issued properly includes the users default roles (Auth0 Roles). Otherwise they would have to login again to have their roles in the context.

In my first rule - I have a condition that checks if context.authorization.roles.length === 0 - which means it is their first login and have not been assigned the default role. (could probably also check if loginCount === 0) - that is when the rule executes the above example functions which hits the Auth0 management API to permanently assign that user to a default role, or any other roles

1 Like