Fetch app's roles from within a rule

Hi,

I’d like to fetch the app’s roles list (not the specific user’s) from Auth0 inside of a rule.

I can’t access ManagementClient/getRoles with auth0.accessToken because it’s limited to the read:users and update:users scopes.

This information is based on both tests and the following article:

I’m trying to get a credentials grant with the ‘read:roles’ scope, but I’m getting an access denied error.

Rule:

function (user, context, callback) {
  const lib = require('auth0@2.23.0');
  
  function getToken() {
    const auth = new lib.AuthenticationClient({
      domain: auth0.domain,
      clientId: 'myclientid',
      clientSecret: 'myclientsecret'
    });

    return auth.clientCredentialsGrant(
      {
        audience: 'https://mytenant.auth0.com/api/v2/',
        scope: 'read:roles'
      }
    );
  }

	getToken()
  	.then(result => {
    	console.log('result', result);
  	})
  	.catch(error => {
    	console.log('error', error);
  	})
  	.finally(() => {
    	callback(null, user, context);
  	});
}

Error:

access_denied: {"error":"access_denied","error_description":"Client is not authorized to access \"https://royibernthal.us.auth0.com/api/v2/\". You might probably want to create a \"client-grant\" associated to this API. See: https://auth0.com/docs/api/v2#!/Client_Grants/post_client_grants"}
    at /data/_verquire/_node12/auth0-extension-s3-tools/1.1.1/node_modules/rest-facade/src/Client.js:387:27
    at Request.callback (/data/_verquire/_node12/auth0-extension-s3-tools/1.1.1/node_modules/rest-facade/node_modules/superagent/lib/node/index.js:728:3)
    at /data/_verquire/_node12/auth0-extension-s3-tools/1.1.1/node_modules/rest-facade/node_modules/superagent/lib/node/index.js:916:18
    at Stream.<anonymous> (/data/_verquire/_node12/auth0-extension-s3-tools/1.1.1/node_modules/rest-facade/node_modules/superagent/lib/node/parsers/json.js:19:7)
    at Stream.emit (events.js:314:20)
    at Stream.EventEmitter.emit (domain.js:506:15)
    at Unzip.<anonymous> (/data/_verquire/_node12/auth0-extension-s3-tools/1.1.1/node_modules/rest-facade/node_modules/superagent/lib/node/unzip.js:55:12)
    at Unzip.emit (events.js:326:22)
    at Unzip.EventEmitter.emit (domain.js:506:15)
    at endReadableNT (_stream_readable.js:1241:12)
    at processTicksAndRejections (internal/process/task_queues.js:84:21) {
  statusCode: 403,
  requestInfo: {
    method: 'post',
    url: 'https://royibernthal.us.auth0.com/oauth/token'
  },
  originalError: Error: Forbidden
      at Request.callback (/data/_verquire/_node12/auth0-extension-s3-tools/1.1.1/node_modules/rest-facade/node_modules/superagent/lib/node/index.js:706:15)
      at /data/_verquire/_node12/auth0-extension-s3-tools/1.1.1/node_modules/rest-facade/node_modules/superagent/lib/node/index.js:916:18
      at Stream.<anonymous> (/data/_verquire/_node12/auth0-extension-s3-tools/1.1.1/node_modules/rest-facade/node_modules/superagent/lib/node/parsers/json.js:19:7)
      at Stream.emit (events.js:314:20)
      at Stream.EventEmitter.emit (domain.js:506:15)
      at Unzip.<anonymous> (/data/_verquire/_node12/auth0-extension-s3-tools/1.1.1/node_modules/rest-facade/node_modules/superagent/lib/node/unzip.js:55:12)
      at Unzip.emit (events.js:326:22)
      at Unzip.EventEmitter.emit (domain.js:506:15)
      at endReadableNT (_stream_readable.js:1241:12)
      at processTicksAndRejections (internal/process/task_queues.js:84:21) {
    status: 403,
    response: Response {
      _events: [Object: null prototype] {},
      _eventsCount: 0,
      _maxListeners: undefined,
      res: [IncomingMessage],
      request: [Request],
      req: [ClientRequest],
      text: '{"error":"access_denied","error_description":"Client is not authorized to access \\"https://royibernthal.us.auth0.com/api/v2/\\". You might probably want to create a \\"client-grant\\" associated to this API. See: https://auth0.com/docs/api/v2#!/Client_Grants/post_client_grants"}',
      body: [Object],
      files: undefined,
      buffered: true,
      headers: [Object],
      header: [Object],
      statusCode: 403,
      status: 403,
      statusType: 4,
      info: false,
      ok: false,
      redirect: false,
      clientError: true,
      serverError: false,
      error: [Error],
      created: false,
      accepted: false,
      noContent: false,
      badRequest: false,
      unauthorized: false,
      notAcceptable: false,
      forbidden: true,
      notFound: false,
      unprocessableEntity: false,
      type: 'application/json',
      links: {},
      setEncoding: [Function: bound ],
      redirects: [],
      [Symbol(kCapture)]: false
    }
  }
}

Hi @royibernthal,

Welcome to the Community!

In order to authorize your client, you will need to navigate to the Management API settings in your dashboard and toggle the application in the ‘Authorized’ position.

Screen Shot 2021-07-09 at 2.31.13 PM1996×804 118 KB

Note: Be aware of the management API rate limits, calling the management API on every authentication can quickly run you into the limits.

Perfect, thanks

Regarding the managment API rate limits - how would I return the up-to-date Auth0 list of roles in every response (doing an integration with Hasura) without running into the limits?

Would I have to implement some caching on my own servers and access it from within the rule or is there a better way to do it?

Check out this doc that has an example of how to add roles to the token:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.