Updating an Angular SPA in an existing system to use Auth0 instead. It mostly works! Users can log in, and there is a custom user role guard for routing, so the application at least has all the required information (eg, user’s name and roles). Just one problem though…
The existing backend expects the user’s role(s) to be included in the JWT on API calls, and I can’t for the life of me figure out where to enable that.
The httpInterceptor works, and I get a JWT, but the existing backend is expecting “name” and “role” in the payload, neither of which are there.
For a moment, I thought the detailedResponse: true token option might be what I needed to include everything (even if that were overkill), but then instead of a bearer token it sends [object Object] (this may be an unrelated bug, so outside the scope of this question).
So, where/how do I configure Auth0 to include at least the user’s roles in the JWT? Is it in the auth0-angular library in the Angular application or maybe in the audience settings?
I feel the answer must be so basic that I’m missing something obvious, haha. The global.d.ts in the interface for GetTokenSilentlyOptions says:
If you need to send custom parameters to the Authorization Server, make sure to use the original parameter name.
What does this mean? Can I setup the httpInterceptor tokenOptions to include the name/roles from auth.user$ in the JWT payload? If so, how?