I’m using code from another answer to try control who can access admin.mysite.com
If you don’t have a role (added as a custom claim to the ID token) of ‘admin’ your login should be denied.
But when I try
((event.client.name === “admin.localhost:3000”) && ![‘https://localhost:3000.com/roles’].includes(“admin”))
api.access.deny(Access to ${event.client.name} is not allowed.);
As an action and put it after the action which adds the roles to the claim, this doesn’t work.
How do I do this?
Hi @nc14,
Thanks for reaching out to the Auth0 Community!
I understand that you are trying to deny access to users who do not have an Admin role.
To do so, you will need to use a Post-Login Action to check if the authentication request comes from your application and that the user has the admin role. See below:
exports.onExecutePostLogin = async (event, api) => {
if(event.client.name === 'YOUR_CLIENT_NAME' && event.authorization.roles !== 'admin'){
api.access.deny(Access to ${event.client.name} is not allowed.);
}
};
You can find your Client Name in your Auth0 Dashboard > Applications > Applications and click on your app. On the settings page, the Name should match the event.client.name.
Once this is complete, you can control and restrict access to your application.
Hoped this helps!
Please let me know if you have any further questions.
Thank you.
Hi thanks so much for this. It’s only a section of the application I need to deny access to ‘normal users’ for.
So I’ve moved on to using a redirect action instead - i.e. 'if you have role of ‘user’ (and not ‘admin’) we will redirect you from admin.site.com to site.com/user/profile.
I’m using an action like this …
exports.onExecutePostLogin = async (event, api) => {
if (event.authorization.roles.includes("user")) {
api.redirect.sendUserTo("http://localhost:3000/user/profile")
};
};
but I get stuck in an endless redirect loop when I deploy and use this?
Hi @nc14,
Thank you for your response.
The endless redirect loop can happen when the authentication flow resumes from the redirect and executes all the Actions again. When this happens, it will eventually run the redirect Action again and remain stuck in a continuous loop.
With that, you will want to resume the authentication flow on the same Action that invoked the redirect by calling the onContinuePostLogin function. For redirects to work correctly, you must have a function with the following signature in the same Action that invoked the redirect:
/**
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onContinuePostLogin = async (event, api) => {
}
By doing so, the user continues to your application without being stuck in a loop.
See this doc to learn more about resuming authentication after a redirect in Actions.
Please let me know how this works for you.
Thank you.
thanks - it looks like I need to store the state parameter and send that back to that function? Is that correct?
How do I access the state parameter from express?
Hi @nc14,
Thank you for your reply.
Yes, that’s correct. Your redirect URL will need to extract the state parameter and send it back to Auth0’s /continue endpoint to resume the authentication transaction.
You can get the state parameter by calling the getLoginState() function.
Hoped this helps!
Please let me know if you have any further questions.
Thank you.