Automatically assign roles to federated OIDC users

Hi, I use an OpenID Connect enterprise connection to federate users. The returned ID-token contains a custom claim that represents the roles of the given user. I want to dynamically map the content of this id-token claim to an Auth0 role in order to get correct content of the permissions claim in the returned access token from Auth0. Is this possible?

Hi there @k01157! We’ll see if anyone chimes in on this topic, but perhaps you could use the Management API in an Action to create/update the role using the custom claim data?

Hi @tyf and thanks for the reply! I have managed to set roles with the Management API that you suggested. But I am not sure if this solution will scale? I must execute 2 Management API calls for every authentication, one to get user-details that contains my custom claim data and one to assign roles accordingly. The documentation mentions rate-limiting for the Management API and our peak hours in production contains hundreds of logins per second. What do you think about that scenario?

No problem, happy to help!

I think you are correct in being concerned that this approach will not scale to such a level - This is unfortunately a tricky spot to be in as there aren’t any great options given that each login would require multiple calls to the Management API. This probably wasn’t the best recommendation from the get go!

Not nearly as dynamic but perhaps you could do something like add the incoming role to a user’s metadata property and then use the Management SDK elsewhere to make bulk updates?

Again, there unfortunately isn’t a straightforward solution I’m aware of :confused:

I’m afraid that will not work? My understanding is that it has to be a synchronous operation in order to get the correct content in the returned access token? (The permission claim is deduced from the roles)