I’m working on a saas application, once logged in using auth0 using customer idp and redirected to application, there is a dropdown to select tenants, then i want to get roles for that user for the selected tenant and updated access token and id token with the corresponding roles, is it possible can some one suggest me is there any other way or scenario we can handle this?
I saw rules but this is comes with the authentication flow and i want to update later stage
There is no way to update a JWT’s claims (they are immutable by design), you must be issued a new token with the updated roles. If you want to have the roles in a custom claim in a token, then you will want a short expiration time, because the ‘old’ token will be valid even after you update the roles and request a new token. You can use refresh tokens to make this experience fairly seamless.
The other option and a potentially straight forward solution depending on how often you are looking at roles, is using the Management API to look at a users roles. This can be done here.
Roles and permissions will be at iur end in database, I will be using Auth0 for enterprise connections to redirect to custom idp just for authentication
Buried in there is an example about how we typically handle RBAC with rules:
If you were to add your roles and permissions to Auth0 you could fairly painlessly give a user a custom claim with their role inside of a rule.
You can also use rules to grant/restrict access to certain applications, not sure if that is relevant for your use case or not.
This would mean you need to migrate your roles to auth0. For that you would have to write a script to move things over using the management API.
For the management API, there are SDKs for different frameworks that simplify things for you, but it is simply an API for controlling all of the functions of the Auth0 Dashboard. If you wanting to add roles to a user you would make an API call to the POST /api/v2/users/{id}/roles endpoint with a list of “roles” to add to that user.
If you were using C# you could use this package if you don’t want to write the vanilla API calls yourself.
An example of an API call to assign a role to a user can be found here. Keep in mind this example is written inside a rule.
Let me know if you need any further clarification.
Thanks Dan, I working on refresh token scenario, will it get access token and id token or just access token? and how long refresh token will be valid, I have seen somewhere it never expriy is that true?