How do I get role claims added to my access token?

jlavallet · July 30, 2019, 3:17pm

This seems like such a simple question. How do I get role claims added to my access token?

I am using RBAC having enabled it on my API.

I am successfully receiving permissions claims as well.

What I am hoping for is to add roles claims alongside those permissions claims.

Everything I search for seems to take me back to creating a Rule and the example of creating an “admin” or “user” role claim based on the “Set roles to a user” Rule template:

This template assumes that the roles you want added to the token are based on the domain of the email address of the user. That is not what I want at all.

What I want is to add the roles I have associated with a user through the Users & Roles feature in the Management Dashboard.

How do I do that?

Here is an example of the claims I am receiving in my access token now:

[{
		"type": "iss",
		"value": "https://centurysoftwaretech.auth0.com/"
	}, {
		"type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
		"value": "google-oauth2|REDACTED"
	}, {
		"type": "aud",
		"value": "http://localhost/auth0testapi"
	}, {
		"type": "aud",
		"value": "https://centurysoftwaretech.auth0.com/userinfo"
	}, {
		"type": "iat",
		"value": "1564432797"
	}, {
		"type": "exp",
		"value": "1564519197"
	}, {
		"type": "azp",
		"value": "REDACTED"
	}, {
		"type": "scope",
		"value": "openid"
	}, {
		"type": "permissions",
		"value": "read:messages"
	}, {
		"type": "permissions",
		"value": "read:values"
	}, {
		"type": "permissions",
		"value": "write:values"
	}
]

Please advise. Thank you.
Jack

jlavallet · July 30, 2019, 4:09pm

I tried the following but it had no effect.

I created a Rule named “Add role claim” and provided the following as its body:

function (user, context, callback) {
  
  var roleClaim = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role";
  
  context.accessToken[roleClaim] = user.roles;
  
  callback(null, user, context);
}

It had no discernible effect on my claims.

What is the secret?

jlavallet · January 23, 2020, 4:31pm

I finally found a Rule script that worked:

function (user, context, callback) {
  const namespace = 'http://schemas.microsoft.com/ws/2008/06/identity/claims';
  const assignedRoles = (context.authorization || {}).roles;

  let idTokenClaims = context.idToken || {};
  let accessTokenClaims = context.accessToken || {};

  idTokenClaims[`${namespace}/role`] = assignedRoles;
  accessTokenClaims[`${namespace}/role`] = assignedRoles;

  context.idToken = idTokenClaims;
  context.accessToken = accessTokenClaims;

  callback(null, user, context);
}

dan.woda · January 23, 2020, 4:45pm

Thanks for following up on this!

system · February 7, 2020, 4:45pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to Add Permissions from Roles to Access Token Help user-profile , user-management	6	2822	January 13, 2023
Roles and permissions not added by default Help configuration , application	5	3748	May 31, 2023
Add roles to the access token Help	7	24768	October 28, 2019
How to add permissions to the access token (Actions) [Edit] Help auth0 , management-api , login	3	3003	January 8, 2024
Adding a simple Admin identifier to access token Help user-profile , user-management	5	871	December 22, 2023

How do I get role claims added to my access token?

Related Topics