Custom roles in Access token from application

I’m working on a saas application, once logged in using auth0 using customer idp and redirected to application, there is a dropdown to select tenants, then i want to get roles for that user for the selected tenant and updated access token and id token with the corresponding roles, is it possible can some one suggest me is there any other way or scenario we can handle this?

I saw rules but this is comes with the authentication flow and i want to update later stage

Advance thanks,

Hi @bkb,

Welcome to the Auth0 Community!

There is no way to update a JWT’s claims (they are immutable by design), you must be issued a new token with the updated roles. If you want to have the roles in a custom claim in a token, then you will want a short expiration time, because the ‘old’ token will be valid even after you update the roles and request a new token. You can use refresh tokens to make this experience fairly seamless.

The other option and a potentially straight forward solution depending on how often you are looking at roles, is using the Management API to look at a users roles. This can be done here.

Let me know if that provides any insight.


Thanks Dan,

If I want to use second option, how to get the roles from my database per user tenant or all tenants on 1st time login?

To clarify, are you using Auth0’s Roles functionality? If not, where are you storing your role based access control info?

Roles and permissions will be at iur end in database, I will be using Auth0 for enterprise connections to redirect to custom idp just for authentication

Okay, I see now.

You could migrate that information to Auth0 using the management api.!/Users/post_user_roles

Or else you could handle the RBAC actions by polling your database. Are you storing a copy of your users in that database? Why not update it there?

can you please give me bit more details how to use management API 2, like any working example will be helpful

Our plan of action is to have to claims, rather than polling Database and we are using ASP.Net WEBAPI

RBAC we have user, tenant and roles (permissions) in DB, if possible please give me a example how it will fit with Auth0


Take a look at our documentation on RBAC:

Buried in there is an example about how we typically handle RBAC with rules:

If you were to add your roles and permissions to Auth0 you could fairly painlessly give a user a custom claim with their role inside of a rule.

You can also use rules to grant/restrict access to certain applications, not sure if that is relevant for your use case or not.

This would mean you need to migrate your roles to auth0. For that you would have to write a script to move things over using the management API.

For the management API, there are SDKs for different frameworks that simplify things for you, but it is simply an API for controlling all of the functions of the Auth0 Dashboard. If you wanting to add roles to a user you would make an API call to the POST /api/v2/users/{id}/roles endpoint with a list of “roles” to add to that user.

If you were using C# you could use this package if you don’t want to write the vanilla API calls yourself.

An example of an API call to assign a role to a user can be found here. Keep in mind this example is written inside a rule.

Let me know if you need any further clarification.


Thanks Dan, I working on refresh token scenario, will it get access token and id token or just access token? and how long refresh token will be valid, I have seen somewhere it never expriy is that true?


A refresh token can be used to get an access token or id token. Refresh tokens never expire and can be revoked if necessary.


Thanks Dan,

I will be using silent authentication for tenant application roles

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.