I have a Spring (boot) application that uses Auth0 for authentication. I fire the authentication flow in my controller with the Auth0 SDK:
// controller is com.auth0.AuthenticationController
controller.buildAuthorizeUrl(req, response, selfUrl + "/auth0/on-after-login")
.withScope("openid profile email")
.build();
but the token that I receive in the callback does not contains the claim https://access.control/roles that the sample app uses to read user’s roles. I have the following questions:
- Is the
https://access.control/roles claim somewhat standard to get user roles?
- If yes, why is it empty in all of my tokens?
Meh, this community doesn’t work well for getting support. Anyway, I solved it by myself using this custom rule:
function (user, context, callback) {
// https://auth0.com/docs/authorization/concepts/sample-use-cases-rules#add-user-roles-to-tokens
const namespace = 'https://access.control';
const assignedRoles = (context.authorization || {}).roles;
let idTokenClaims = context.idToken || {};
let accessTokenClaims = context.accessToken || {};
idTokenClaims[`${namespace}/roles`] = assignedRoles;
accessTokenClaims[`${namespace}/roles`] = assignedRoles;
context.idToken = idTokenClaims;
context.accessToken = accessTokenClaims;
callback(null, user, context);
}
from this page.
I think the rule should at least be mentioned in the relevant examples like this one.