How to add permissions to the access token (Actions) [Edit]

MeloHenrique · April 23, 2022, 9:19pm

Hello everyone,

It’s my first time using Auth0, and I need to add all permissions the user has to the access token.

I need it because the admin has the option to create roles with permissions in the application. But the functionality in the front-end needs to be different depending on user permissions, not user role.

The role is just a way to group the permissions and save time adding a new user to the system.

At the moment, I’ve created an Action with this code:

exports.onExecutePostLogin = async (event, api) => {

    const ManagementClient = require('auth0').ManagementClient;

  

    const management = new ManagementClient({

          domain: event.secrets.domain,

          clientId: event.secrets.clientId,

          clientSecret: event.secrets.clientSecret,

      });

  

    const claimName  = 'http://roles/permissions';

    var params = {id: event.user.user_id};

    var p = await management.getUserPermissions(params);

      var permissionsArr = p.map(function (n) {

      return n.permission_name;

    });

    api.idToken.setCustomClaim(claimName, {"permissions": permissionsArr});

    api.accessToken.setCustomClaim(claimName, {"permissions": permissionsArr});

}

It works, but the claim is being added two times to the idToken, and probably the same is happening to the accessToken (not sure about this one).

Can anyone help me out?

[Edit]
I just learned that it must be “duplicated” the same happens when there’s more than one role assigned to the user.
I had no idea of that.

My only question now is how may I check the user permissions the same way with roles.

I am using Blazor, so for roles verification, I use this at the top of razor page:
@attribute [Authorize(Roles = "Admin")]

jeff0 · April 25, 2022, 2:15pm

Hi @MeloHenrique

Welcome to Auth0 Community !!!

It is a recommended practice to use roles as a medium of assigning permissions to users. In other words, avoid assigning permission directly to users but instead

Permissions → Roles → Users

This is how you can set roles. Add roles

Hope it helps

Thanks
Jeff

MeloHenrique · April 25, 2022, 2:28pm

Hi,

Thanks for your response.

I am assigning the role to the user.

But I want to change the functionality on the front-end based on the permissions. I have no idea how many roles the admin will create and what permissions each user role will have. I need to show or hide pages based on the user permissions. These permissions are based on the user role.

I am using Blazor, and I can make a page only show to a specific role using this line of code:
@attribute [Authorize(Roles = "Admin")]

But I need to make this verification to the user permissions.
When the user logs in, I am adding the user role and his permissions to the token. Now I just need to know how can I make the same role verification wich permissions.

konrad.sopala · January 8, 2024, 1:06pm

Hey there!

As this topic is related to Actions and Rules & Hooks are being deprecated soon in favor of Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!