I’m wondering what is Auth0 recommendation to get user’s roles in Web Api app…
The app is secured with access token (GWT Bearer) generated by another Web App (regular web app in Auth0)
Should I use rules mechanism to add “role” claims to Access Token?
Or maybe call UserInfo endpoint within Token Validated delegate in Web Api itself?
Some other techniques?
If I understand correctly you can use the Rules feature to achieve this. We add Auth0 roles to our access tokens using Rules.
Here is an example of doing this (for id_token but the code is basically the same for access_token)
There is also the new Actions feature which should probably be used rather than Rules if you are starting from scratch, although I’ve not done that before yet.
I’ve already added “Roles” to “id_token”, and it works fine for Web App. However, “id_token” is not applicable for Web Api.
Adding “role” claims to “access_token” opens a Pandora’s box - if extending the access token is a recommended way, than “email” claim will be the next, and so on.
Its listed in the docs at the bottom so I guess it is recommended to some extent
Calling from your API is possible. You may need a management api token for that which needs to be kept securely by your API and then you’d have to implement the logic. Via Rules means that you’d don’t need to make extra calls which would probably add to the request time and you’d have to be wary of rate limits if that happens on every request. Depends on what the API does etc
As a counter point, the other thing to consider is the size of the JWT if you are planning to add lots of custom claims into it.
It looks like extending “access_token” is the only way to pass some metadata to Web Api.
Fetching data from UserInfo endpoint has a lot of downsides, and designed to serve another purpose.