Auth0 Home Blog Docs

Getting user roles in rules

Hey,

I have users with roles assigned to them, and I want to get those roles in the rules.
but when I try to get app_metadata I don’t get anything there - like there are no roles.
Also when looking in the user dashboard - it looks like both app_metadata and user_metadata are empty.

function (user, context, callback) {
  user.app_metadata = user.app_metadata || {};

  context.accessToken['http://explorium.ai/connection'] = user.identities[0].connection;
  context.accessToken['http://explorium.ai/email'] = user.email;
  context.accessToken['http://explorium.ai/nickname'] = user.nickname;
  context.accessToken['http://explorium.ai/roles'] = user.app_metadata.roles;
  
  callback(null, user, context);
}

Am I doing something wrong?
Thanks,
Ilona

Hello @ilona,

Welcome to the Community! Are these roles you have created yourself? Can you post a representative user profile for reference?

Thanks :slight_smile:
yes - these are roles that I’ve created and attached to the user:

In the user raw json I don’t see that role, nor in the app_metadata or user_metadata section in the user dashboard

Hello @ilona,

That is correct, the roles assigned to a user using that feature (core authorization) are not part of the user’s profile. To access that role data you need to use the management API:

  1. https://auth0.com/docs/api/management/v2#!/Users/get_roles
  2. https://auth0.com/docs/api/management/v2#!/Roles/get_roles

If you would like to see the core authorization roles in the user profile, I suggest submitting a feature request to Auth0’s feedback page.

Thanks for the quick reply!
That means that there is no way of getting the user roles in the access token?

You can use rules to add core authorization roles to tokens:

Note that the core authorization feature is new and a work in progress. Current state is here:

OK thanks!
We will just use roles in app_metadata for now - does that makes sense?

If you mean create your own list of roles in app_metadata, you can certainly do that. That is how we are managing role data today where I work. I suspect we will migrate to the new core authorization feature in the future, but our needs are pretty basic (we have only a half dozen or so roles) so we just maintain them in app_metadata as a list:

"app_metadata": {
  "roles": [ "role1", "role2" ]
}

Thanks!
yes, this is what we planned on doing. The only downside to this is that there is no UI dashboard to see which users have which roles (we will have 2 roles probably…)

That is an issue for us as well. Since the Delegated Administration dashboard does not currently expose user or app metadata, we are planning to create our own user management UI for our support teams to use that does make metadata accessible to the support teams in some fashion (not direct editing of the JSON!)

Yes we also have a management screen for our admin users.
Thanks for the help!

Hello,

Just wanted to add that the user’s assigned roles are available in context.authorization.roles in the rules context. You use that data to then add the roles to the tokens (with context.accessToken with a custom claim).

Regards,
Justin

5 Likes

hi @justin,

it seems that is not documented here? Or did I miss it?

It is currently missing from that document (by mistake) but we’re adding it. It will be updated soon.

1 Like

Oh, good to know!
thanks for updating…
and yes - adding that to the documentary will be great :slight_smile:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.