I am unable to add the role which was added during the first login to the access token

shester · July 27, 2023, 2:42pm

I have the following actions in my Login flow:

Assign Role On First Login:

exports.onExecutePostLogin = async (event, api) => {
  if (event.stats.logins_count !== 1) {
    return;
  }

  const ManagementClient = require('auth0').ManagementClient;

  const management = new ManagementClient({
      domain: event.secrets.domain,
      clientId: event.secrets.clientId,
      clientSecret: event.secrets.clientSecret
  });

  const params =  { id : event.user.user_id};
  const data = { "roles" : ["rol_7OQ4PJQWyE0R0eQC"]};

  try {
    const res = await management.assignRolestoUser(params, data)
  } catch (e) {
    console.log(e)
    // Handle error
  }
};

Enrich Access Token

exports.onExecutePostLogin = async (event, api) => {
  if (event.authorization){
    api.accessToken.setCustomClaim("user_id", event.user.user_id);
    api.accessToken.setCustomClaim("user_name", event.user.name);
    api.accessToken.setCustomClaim("user_email", event.user.email);

    const hasuraClaims = {
      "x-hasura-user-id": event.user.user_id
    };

    let roles;
    if (event.stats.logins_count === 1) {
      const ManagementClient = require('auth0').ManagementClient;

      const management = new ManagementClient({
          domain: event.secrets.domain,
          clientId: event.secrets.clientId,
          clientSecret: event.secrets.clientSecret
      });

      const params =  { id : event.user.user_id};

      try {
        roles = await management.getUserRoles(params)
      } catch (e) {
        console.log(e)
        // Handle error
      }
    }
    else {
      roles = event.authorization.roles.map(role => role.toLowerCase());
    }
    
    if (roles && roles.length > 0) {
      api.idToken.setCustomClaim("user_roles", roles);
      api.accessToken.setCustomClaim("user_roles", roles);

      const defaultRole = roles.reduce((highestRole, currentRole) => {
        if (currentRole === "admin") {
          return currentRole;
        }
        if (currentRole === "manager" && highestRole !== "admin") {
          return currentRole;
        }
        if (currentRole === "editor" && highestRole !== "admin" && highestRole !== "manager") {
          return currentRole;
        }
        if (currentRole === "viewer" && highestRole !== "admin" && highestRole !== "manager" && highestRole !== "editor") {
          return currentRole;
        }
        return highestRole;
      }, "");

      hasuraClaims["x-hasura-default-role"] = defaultRole;
      hasuraClaims["x-hasura-allowed-roles"] = roles;
    }
    
    api.accessToken.setCustomClaim("https://hasura.io/jwt/claims", hasuraClaims);
  }
};

The first action successfully adds the role on the first login. However, in the second action during the first login, event.authorization.roles does not contain the role that was added in the previous action. To get around this, I tried to use the management API to getUserRoles, but this does not seem to be working as expected.

What is the recommended approach here? Is there some way to add the added role to the event from the first action so it can be consumed normally by the second action? Should I be using the management API in the second action to get the user roles (like I’m currently trying to do, but in the correct way)?

Please advise. Thanks!

shester · July 27, 2023, 3:01pm

Disregard… I figured it out. The issue is that the Machine to Machine application I am using to connect to the Management API needed the read:users permission (which I didn’t have) along with the read:roles permission (which I did have). It also needs the update:roles permission to be able to set the role from the first action. Here is the updated second action:

exports.onExecutePostLogin = async (event, api) => {
  if (event.authorization){
    api.accessToken.setCustomClaim("user_id", event.user.user_id);
    api.accessToken.setCustomClaim("user_name", event.user.name);
    api.accessToken.setCustomClaim("user_email", event.user.email);

    const hasuraClaims = {
      "x-hasura-user-id": event.user.user_id
    };

    let roles;
    if (event.stats.logins_count === 1) {
      const ManagementClient = require('auth0').ManagementClient;

      const management = new ManagementClient({
          domain: event.secrets.domain,
          clientId: event.secrets.clientId,
          clientSecret: event.secrets.clientSecret
      });

      const params =  { id : event.user.user_id};

      try {
        const userRoles = await management.getUserRoles(params);
        roles = userRoles.map((role) => role.name.toLowerCase());
      } catch (e) {
        console.log(e);
        // Handle error
      }
    }
    else {
      roles = event.authorization.roles.map(role => role.toLowerCase());
    }
    
    if (roles && roles.length > 0) {
      api.idToken.setCustomClaim("user_roles", roles);
      api.accessToken.setCustomClaim("user_roles", roles);

      const defaultRole = roles.reduce((highestRole, currentRole) => {
        if (currentRole === "admin") {
          return currentRole;
        }
        if (currentRole === "manager" && highestRole !== "admin") {
          return currentRole;
        }
        if (currentRole === "editor" && highestRole !== "admin" && highestRole !== "manager") {
          return currentRole;
        }
        if (currentRole === "viewer" && highestRole !== "admin" && highestRole !== "manager" && highestRole !== "editor") {
          return currentRole;
        }
        return highestRole;
      }, "");

      hasuraClaims["x-hasura-default-role"] = defaultRole;
      hasuraClaims["x-hasura-allowed-roles"] = roles;
    }
    
    api.accessToken.setCustomClaim("https://hasura.io/jwt/claims", hasuraClaims);
  }
};