Map roles to user from external identity provider

Hi folks,

Currently have an API Audience with RBAC enabled and Add Permissions in the Access Token enabled.

The API Audience has a number of permissions which in turn are associated with various roles.
Some users are stored in Auth0’s identity store and have the various roles assigned.

The APIs are accessed via a react app and when I log to the app to access the RBAC’ed API I can see the JWT token with the appropriate permissions claims.

The react app also connects to AWS Cognito via Open ID Connect and I can log into the react app using the Cognito credentials. The Cognito users have a cognito:groups claim which I want to map to an Auth0 role, and subsequently access the RBAC’ed API.

I’ve trawled through a number of posts I’ve tried using rules to modify the context object but unfortunately have not been see the permissions claim in the JWT.

I want to avoid actually permanently assigning the Auth0 roles to the Cognito users if possible to prevent possible mismatches in authorisations.

Hi @fyuan,

Welcome to the Community!

Could you add the groups to the token via a custom claim?

Hi @dan.woda,

I am able to do that via the rules, however
what I want to achieve is to allow the Auth0 runtime to determine the permissions of the user via the setting of a role.

this is the jwt of the user with a db id provider who has been assgined to the “billing-agent” role
the auth0 runtime provides role to permissions mapping which is then accessible via the jwt:

{
  "iss": "https://xxxx.au.auth0.com/",
  "sub": "auth0|5e8965df4ce5210bd3c3fada",
  "aud": [
    "https://yyyy.com/api",
    "https://xxxx.au.auth0.com/userinfo"
  ],
  "iat": 1586758328,
  "exp": 1586844728,
  "azp": "lAeDtRv5uKc5qCvmkOE5LnWWUlRatU7U",
  "scope": "openid profile email",
  "permissions": [
    "create:bill",
    "read:bill",
    "read:payment"
  ]
}

what I want to achieve is given another user with an ODIC provider using the “cognito:groups” of “billing-agent” map to that to the auth0 role and then subsequently have auth0 perform the role to permissions mapping and allow the permissions claim to be present in the jwt

currently if I add context.accessToken[‘https://yyyy.com/roles’] = ‘{roles: [‘billing-agent’]}’ doesn’t trigger then auth0 runtime to map the role to permissions in the claim as the case with db provider user.

I want to avoid permanently adding the user to the role if possible as the “cognito:group” may change in the upstream provider.