As a quick follow-up to this, we were able to successfully implement this using Azure Functions on the back-end to populate the roles and this rule to attach the current host’s roles into the token:
function (user, context, callback) {
var namespace = 'http://yourdomain.com/';
var url = require('url');
var hostname = url.parse(context.request.query.redirect_uri).hostname;
hostname = hostname.replace(/\./g, '_');
var roles = ];
if(user.app_metadata === undefined || user.app_metadata[hostname] === undefined || user.app_metadata[hostname].roles === undefined){
roles = ];
} else {
roles = user.app_metadata[hostname].roles;
}
context.idToken[namespace + 'roles'] = roles;
callback(null, user, context);
}
Here’s what my user’s app_metadata looks like:
{
"localhost": {
"roles":
"Administration",
"CheckIn"
]
},
"development_sportsmgmt_net": {
"roles":
"Administration",
"CheckIn"
]
}
}