How do I get role claims added to my access token?

Help
1

This seems like such a simple question. How do I get role claims added to my access token?

I am using RBAC having enabled it on my API.

2019-07-29_13h44_06
2019-07-29_13h44_061158×746 51.6 KB

I am successfully receiving permissions claims as well.

What I am hoping for is to add roles claims alongside those permissions claims.

Everything I search for seems to take me back to creating a Rule and the example of creating an “admin” or “user” role claim based on the “Set roles to a user” Rule template:

2019-07-30_09h56_56
2019-07-30_09h56_561522×1157 107 KB

This template assumes that the roles you want added to the token are based on the domain of the email address of the user. That is not what I want at all.

What I want is to add the roles I have associated with a user through the Users & Roles feature in the Management Dashboard.

2019-07-30_10h07_43
2019-07-30_10h07_431887×793 76.3 KB

How do I do that?

Here is an example of the claims I am receiving in my access token now:

[{
		"type": "iss",
		"value": "https://centurysoftwaretech.auth0.com/"
	}, {
		"type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
		"value": "google-oauth2|REDACTED"
	}, {
		"type": "aud",
		"value": "http://localhost/auth0testapi"
	}, {
		"type": "aud",
		"value": "https://centurysoftwaretech.auth0.com/userinfo"
	}, {
		"type": "iat",
		"value": "1564432797"
	}, {
		"type": "exp",
		"value": "1564519197"
	}, {
		"type": "azp",
		"value": "REDACTED"
	}, {
		"type": "scope",
		"value": "openid"
	}, {
		"type": "permissions",
		"value": "read:messages"
	}, {
		"type": "permissions",
		"value": "read:values"
	}, {
		"type": "permissions",
		"value": "write:values"
	}
]

Please advise. Thank you.
Jack

2 Likes
2

I tried the following but it had no effect.

I created a Rule named “Add role claim” and provided the following as its body:

function (user, context, callback) {
  
  var roleClaim = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role";
  
  context.accessToken[roleClaim] = user.roles;
  
  callback(null, user, context);
}

It had no discernible effect on my claims.

What is the secret?

3

I finally found a Rule script that worked:

function (user, context, callback) {
  const namespace = 'http://schemas.microsoft.com/ws/2008/06/identity/claims';
  const assignedRoles = (context.authorization || {}).roles;

  let idTokenClaims = context.idToken || {};
  let accessTokenClaims = context.accessToken || {};

  idTokenClaims[`${namespace}/role`] = assignedRoles;
  accessTokenClaims[`${namespace}/role`] = assignedRoles;

  context.idToken = idTokenClaims;
  context.accessToken = accessTokenClaims;

  callback(null, user, context);
}
9 Likes
4

Thanks for following up on this!

5

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.