How to add permissions to the access token (Actions) [Edit]

Hello everyone,

It’s my first time using Auth0, and I need to add all permissions the user has to the access token.

I need it because the admin has the option to create roles with permissions in the application. But the functionality in the front-end needs to be different depending on user permissions, not user role.

The role is just a way to group the permissions and save time adding a new user to the system.

At the moment, I’ve created an Action with this code:

exports.onExecutePostLogin = async (event, api) => {

    const ManagementClient = require('auth0').ManagementClient;

  

    const management = new ManagementClient({

          domain: event.secrets.domain,

          clientId: event.secrets.clientId,

          clientSecret: event.secrets.clientSecret,

      });

  

    const claimName  = 'http://roles/permissions';

    var params = {id: event.user.user_id};

    var p = await management.getUserPermissions(params);

      var permissionsArr = p.map(function (n) {

      return n.permission_name;

    });

    api.idToken.setCustomClaim(claimName, {"permissions": permissionsArr});

    api.accessToken.setCustomClaim(claimName, {"permissions": permissionsArr});

}

It works, but the claim is being added two times to the idToken, and probably the same is happening to the accessToken (not sure about this one).

Can anyone help me out?

[Edit]
I just learned that it must be “duplicated” the same happens when there’s more than one role assigned to the user.
I had no idea of that.

My only question now is how may I check the user permissions the same way with roles.

I am using Blazor, so for roles verification, I use this at the top of razor page:
@attribute [Authorize(Roles = "Admin")]

1 Like

Hi @MeloHenrique

Welcome to Auth0 Community !!!

It is a recommended practice to use roles as a medium of assigning permissions to users. In other words, avoid assigning permission directly to users but instead

Permissions → Roles → Users

This is how you can set roles. Add roles

Hope it helps

Thanks
Jeff

1 Like

Hi,

Thanks for your response.

I am assigning the role to the user.

But I want to change the functionality on the front-end based on the permissions. I have no idea how many roles the admin will create and what permissions each user role will have. I need to show or hide pages based on the user permissions. These permissions are based on the user role.

I am using Blazor, and I can make a page only show to a specific role using this line of code:
@attribute [Authorize(Roles = "Admin")]

But I need to make this verification to the user permissions.
When the user logs in, I am adding the user role and his permissions to the token. Now I just need to know how can I make the same role verification wich permissions.

2 Likes

Hey team! :waving_hand:

Since this topic touches Auth0 Actions, quick heads-up that we’re hosting an Ask Me Anything dedicated to Actions with Gaston Danilo Asis Sanchez, Senior Technical Product Manager. We’ll cover practical usage, new capabilities like Transaction Metadata and Actions Types, plus a peek at what’s next. :sparkles:

  • Submit questions now through Aug 26 :writing_hand:
  • Get detailed written answers live on Aug 27, 9–11 AM PT :speech_balloon:

Earn community points + a badge :trophy:. If you’re exploring how Actions can streamline your auth flows, this is a great time to get direct guidance from the team.
Join the AMA & drop your questions here: August 27 Auth0 Community Ask Me Anything: Actions

Dawid