How do I add permissions (not roles) using the actions?

I have the following access token…

{
  "iss": "https://jackiergleason.auth0.com/",
  ...
  "aud": [
    ...
    "https://jackiergleason.auth0.com/userinfo"
  ],
  ...
  "permissions": [
    "finance",
    "read:actuators",
    "user:admin"
  ]
}

I tried to add them to the user I get here…

const {
        isAuthenticated,
        user
    } = useAuth0();

By creating the following Action

exports.onExecutePostLogin = async (event, api) => {
  const namespace = '...';
  console.log(JSON.stringify(event));
  if(event.user.user_metadata.assigned_permissions)
    api.idToken.setCustomClaim(namespace+'permissions', event.user.user_metadata.assigned_permissions);
  if (event.authorization)
    api.idToken.setCustomClaim(namespace + 'roles', event.authorization.roles);
  
  api.idToken.setCustomClaim('Working', 'The action it woring');
};

I now see the ROLES but I need the PERMISSIONS and there isn’t an authorization property for that. How do I grab the Permissions using the action instead?

I have confirmed the roles are mapped in both the API and the User and the RBAC and permission support are enabled

I found this

and tried

exports.onExecutePostLogin = async (event, api) => {
  if(event.user.user_metadata.assigned_permissions)
    api.idToken.setCustomClaim('permissions', event.user.user_metadata.assigned_permissions);
  else
    api.idToken.setCustomClaim('permissions', ["weirdo"]);
};

But I still don’t see anything (I would expect to see at least weirdo even if the getting the permissions is messed)

User is {"https://secondave.net/roles":[],"https://secondave.net/picture":"https://lh3.googleusercontent.com/a/ACg8ocL7LkvLhW8oA9ZaOx9WczixrQkJJZSE7JeuUdDrY1aD6sE=s96-c","given_name":"Jackie","family_name":"Gleason","nickname":"jackiegleason","name":"Jackie Gleason","picture":"https://lh3.googleusercontent.com/a/ACg8ocL7LkvLhW8oA9ZaOx9WczixrQkJJZSE7JeuUdDrY1aD6sE=s96-c","locale":"en","updated_at":"2024-01-15T15:39:37.218Z","email":"jackiegleason@gmail.com","email_verified":true,"sub":"google-oauth2|111260033634073020811"} SiteBar.jsx:25:12

Ok I made a mistake and if I add back the namespace I do see the permission but it doesn’t have the expected permissions…

User is {...,"https://cbusha.com/permissions":["weirdo"],"Working":"The action it working",...}

But in my dashboard I see the permissions

I also tried using this

console.log(JSON.stringify(event.user));

and the webtask extension and I see…

{"authorization":{"groups":[],"permissions":[],"roles":[]},"locale":"en","app_metadata":{"authorization":{"groups":[],"permissions":[],"roles":[]}},"created_at":"2017-10-31T16:37:10.306Z","email_verified":true,"email":"...","family_name":"...","given_name":"...","identities":[{"connection":"google-oauth2","isSocial":true,"provider":"google-oauth2","userId":"...","user_id":"..."}],"name":"...","nickname":"...","picture":"...-c","updated_at":"2024-01-15T15:54:54.426Z","user_id":"...","user_metadata":{},"multifactor":[]}

So it looks like the permissions are not accessible through this is there something else I can use?

Also I am a little confused if I CAN’T use permissions, why can I use roles? And when I use roles, why are only the permissions included in the access token?

This is basically forcing me to use one for the UI and one for the BE. This seems to add some confusion to my app and it would be easier to just use one or the other. So I am a bit confused on the security difference if the permissions are listed in the JWT access token and anyone can decrypt that to infer the permissions.

1 Like