Auth0+Django Setting Roles and Permissions

ovezovv · February 22, 2022, 10:03am

When I implement Auth0 Authentication and “Set Roles to User” Rule

function (user, context, callback) {
  const namespace = 'https://dev-o0hx8kbg.us.auth0.com';
  const assignedRoles = (context.authorization || {}).roles;
  const assignedPermis = (user.app_metadata || {}).permissions;

  let idTokenClaims = context.idToken || {};
  let accessTokenClaims = context.accessToken || {};

  idTokenClaims[`${namespace}/roles`] = assignedRoles;
  accessTokenClaims[`${namespace}/roles`] = assignedRoles;
  idTokenClaims[`${namespace}/permissions`] = assignedPermis;
  accessTokenClaims[`${namespace}/permissions`] = assignedPermis;

  context.idToken = idTokenClaims;
  context.accessToken = accessTokenClaims;
  callback(null, user, context);
}

When I am trying to jwt.decode, payload returns

Key Error at "https://dev-o0hx8kbg.us.auth0.com/roles"

Here is below my function in Django for retrieving payload

def get_user_details(self, response):
        # Obtain JWT and the keys to validate the signature
        id_token = response.get('id_token')
        audience = self.setting('SOCIAL_AUTH_AUTH0_KEY')  # CLIENT_ID
        jwks = request.urlopen(
            'https://' + self.setting('SOCIAL_AUTH_AUTH0_DOMAIN') + '/.well-known/jwks.json')
        issuer = 'https://' + self.setting('SOCIAL_AUTH_AUTH0_DOMAIN') + '/'

        payload = jwt.decode(id_token, jwks.read(), algorithms=[
                             'RS256'], audience=audience, issuer=issuer)

        return {
            'username': payload['nickname'],
            'first_name': payload['name'],
            'picture': payload['picture'],
            'user_id': payload['sub'],
            'role': payload['https://dev-o0hx8kbg.us.auth0.com/roles']
        }

rueben.tiow · February 28, 2022, 8:41pm

Hi @ovezovv,

Welcome to the Auth0 Community!

I understand you encountered issues setting roles and permissions in the ID token using an Auth0 Rule.

After reviewing your Rule and error carefully, I noticed that you used a reserved namespaced, specifically with the auth0.com domain.

Please be aware that custom namespace claims must use any non-Auth0 HTTP or HTTPS URL as a namespace identifier. Auth0 domains cannot be used as namespace identifiers, and include:

auth0.com
webtask.io
webtask.run

Once the namespace value is fixed, you can get the users’ roles and permissions from the ID token.

Please let me know if there’s anything else I can do to help.

Thank you.

ovezovv · March 1, 2022, 7:44am

With changing as well as you mentioned, from this API identifier I can get the all permissions and roles, What if I try to get the currently signed-in user’s permissions and roles, how should I implement the rule or is there any specific configuration for that, thanks in advance.

rueben.tiow · March 2, 2022, 1:25am

Hi @ovezovv,

Thank you for your response.

The Rule snippet you shared with me will get the permissions and roles of the user Post-Login and append them to the ID Token. There should not be any additional configuration needed.

You could alternatively use the Management API v2 Get a user Role endpoint and Get a user Permissions endpoint to accomplish the same results.

Hoped this helps!

Please do not hesitate to reach out if you have any further questions.

Thank you.

system · March 17, 2022, 1:25am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.