Problem statement
Is it possible to retrieve the user’s Roles and/or Permissions and include them in the JWT Token?
Solution
Yes, it’s possible to retrieve the user’s Roles and/or Permissions and append them to either the ID Token or Access Token. To do so, you must use a Post-Login Action script.
1.1 Roles
When adding the user’s Roles to the token, call the event.authorization.roles
property and add it as a custom claim to the Token. Please see here on creating namespaced custom claims. Below is an example of using a Post Login script to add Roles to the tokens.
/**
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
const namespace = 'https://my-app.example.com';
if (event.authorization) {
api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
}
}
1.2 Permissions
For Permissions, you must use the Management API in Actions to call the Get a User’s Permission endpoint to include into the Token.
Note that you can alternatively get the user’s Roles calling the Management API’s Get a user’s roles endpoint.
Reference Materials:
- Example Use Case: Add User Roles to ID and Access Tokens with Actions
- Post Login Event Object
- Post Login API Object
- Management API Get Permissions Endpoint
- Management API Get User Roles Endpoint