Auth0+Django Setting Roles and Permissions

When I implement Auth0 Authentication and “Set Roles to User” Rule

function (user, context, callback) {
  const namespace = 'https://dev-o0hx8kbg.us.auth0.com';
  const assignedRoles = (context.authorization || {}).roles;
  const assignedPermis = (user.app_metadata || {}).permissions;

  let idTokenClaims = context.idToken || {};
  let accessTokenClaims = context.accessToken || {};

  idTokenClaims[`${namespace}/roles`] = assignedRoles;
  accessTokenClaims[`${namespace}/roles`] = assignedRoles;
  idTokenClaims[`${namespace}/permissions`] = assignedPermis;
  accessTokenClaims[`${namespace}/permissions`] = assignedPermis;

  context.idToken = idTokenClaims;
  context.accessToken = accessTokenClaims;
  callback(null, user, context);
} 

When I am trying to jwt.decode, payload returns

Key Error at "https://dev-o0hx8kbg.us.auth0.com/roles"

Here is below my function in Django for retrieving payload

def get_user_details(self, response):
        # Obtain JWT and the keys to validate the signature
        id_token = response.get('id_token')
        audience = self.setting('SOCIAL_AUTH_AUTH0_KEY')  # CLIENT_ID
        jwks = request.urlopen(
            'https://' + self.setting('SOCIAL_AUTH_AUTH0_DOMAIN') + '/.well-known/jwks.json')
        issuer = 'https://' + self.setting('SOCIAL_AUTH_AUTH0_DOMAIN') + '/'

        payload = jwt.decode(id_token, jwks.read(), algorithms=[
                             'RS256'], audience=audience, issuer=issuer)

        return {
            'username': payload['nickname'],
            'first_name': payload['name'],
            'picture': payload['picture'],
            'user_id': payload['sub'],
            'role': payload['https://dev-o0hx8kbg.us.auth0.com/roles']
        }

Hi @ovezovv,

Welcome to the Auth0 Community!

I understand you encountered issues setting roles and permissions in the ID token using an Auth0 Rule.

After reviewing your Rule and error carefully, I noticed that you used a reserved namespaced, specifically with the auth0.com domain.

Please be aware that custom namespace claims must use any non-Auth0 HTTP or HTTPS URL as a namespace identifier. Auth0 domains cannot be used as namespace identifiers, and include:

• auth0.com
• webtask.io
• webtask.run

Once the namespace value is fixed, you can get the users’ roles and permissions from the ID token.

Please let me know if there’s anything else I can do to help.

Thank you.

With changing as well as you mentioned, from this API identifier I can get the all permissions and roles, What if I try to get the currently signed-in user’s permissions and roles, how should I implement the rule or is there any specific configuration for that, thanks in advance.

Hi @ovezovv,

Thank you for your response.

The Rule snippet you shared with me will get the permissions and roles of the user Post-Login and append them to the ID Token. There should not be any additional configuration needed.

You could alternatively use the Management API v2 Get a user Role endpoint and Get a user Permissions endpoint to accomplish the same results.

Hoped this helps!

Please do not hesitate to reach out if you have any further questions.

Thank you.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.