No roles in token

I’m trying to get roles added as a claim to my JWT, but so far they are not coming through. This is what I have done:

  1. I have added the Authorization Extension
  2. In the extension, created a role and added a user to it
  3. In the extension configuration, under rules configuration, flipped the switch for roles:
  4. Clicked publish
  5. In my control panel, verified that the rule got created
  6. When I run the rule, change the user details to my test users, the roles array still comes back blank.

As an aside, I’m fairly certain when I tested this earlier it was not blank, but then when I log in with my SPA (Angular) the roles array itself was absent from the token.

What am I missing? I’ve followed the documentation and read posts in here, but would be happy to be pointed at a more detailed step by step approach. With that said it’s not a greenfield application so I’ve had to interpret it as best I can in a lot of cases for my existing scenario.

Hi @mattgoldman,

I haven’t used the authz extension in a while but I believe that toggle just saves role data in the user’s profile (user.app_metadata.authorization). If you want to add that same data to your ID token you need to create another rule that does that. This might help:

Hi @markd, thanks for the response. I think this is the toggle that saves the role data:

But just for fun I’ve now got both on.

Also thanks for the doc - that seems to suggest that you need to configure your application in the dashboard to assert that roles (and which roles) are required, which I suppose then necessitates their inclusion in the token.

I have followed those steps, and this doesn’t seem to have made a difference. However, I did spot this:

I wonder if the problem is with my login process. Is this something I should configure in my client, here for example?

image

Thanks again

I believe that is correct. When you log in, you will get back a combination of the scopes you request (and are allowed to request) and any additional attributes you manually add to the ID and / or access tokens.

And you are right, it is the second toggle that persists the data in the user’s profile. Note that this is implemented in a rule which means the data in the user’s profile is only added / updated during login events.

If I remember correctly, our setup was very basic. We persisted the data in the user’s profile and then manually added it to our tokens. I don’t think we used the ‘authz object in rules’ feature.

Thanks Mark, appreciate the response. I think another problem was that I was testing on the free tier which doesn’t’ support roles. I’ve subsequently switched this to one of the paid tiers that includes it. Next step is to figure out how I request these in my login config, although in the meantime when I run the ‘test rules with username and password’ I do now get the roles array, but they are still blank.

I am going to log a support ticket and will post findings back here when it gets resolved.

1 Like

You are probably aware of this but just to make sure, there are two “RBAC” options in Auth0 today. The Authorization Extension, which is where your screenshots come from, and “authorization core”, which is a relatively new feature that is built in to Auth0. I suspect authz core will eventually replace the authz extension altogether, though I don’t know that for sure. Sometimes the two services can cause some confusion.

In either case the usual way to get profile data into your ID tokens and / or access tokens is to write a Rule. For the authz extension you can either access it’s API or persist the data in the user profile and pull from there. For authz core you can get the data from the management API.

Greetings - I am using angular client sample/code - I’m unable to receive roles - tips please :slight_smile:

+1 This - Receiving Roles on angular/client auth is critical and i don’t see any resources from Auth0 for making this possible. When will this concern be addressed - I wish to receive assigned roles when client auths.

What do you mean when you say you are “unable to receive roles”? What have you done so far that is not working?

Are you using authorization core, the authorization extension, or a DIY solution?

I had been using an example that was on : //https://auth0.github.io/auth0-spa-js/classes/auth0client.html#getuser but that no longer seems available. Basically - Using angular9, i wish to use Auth0 to authorize an angular application, receive tokens/user information including their roles so I can control their access to the app - are there any good examples out there? (Thanks)

No.

(But I’m working on one). ‘Roles’ in this sense isn’t technically part of the OAuth spec, and authorisation (not authentication) is expected to be managed in other ways. The documentation for all of the major vendors in this space seems to shy away from it.

I’m working on a blog post to cover this but if your need is urgent it’s probably not going to be available soon enough.

I’m confused by the “Roles in this sense isn’t technically part of the OAuth spec”, I’m using the Auth0 interface/code supplied, authenticating through Auth0 (which wraps OAuth) and overlays that with features such as “Users & Roles” / Users Roles on my application setup page. It seems that if i can configure that on your site that there is a way to determine what User group or Roles the authenticated user is - isn’t there? If not - what are the users/roles features on your web page used for? Is there another callback i can make with a token of some type to get this info?

1 Like

The feature you are referring to is authorization core. The role information is available via the management api. There are various ways to get the role information. You can call the API yourself. You could write a Rule that calls the API and includes role data in the user’s ID and/or access tokens.

Have you made any progress on this issue? Seems like an Angular client should be able to receive roles as scopes/claims and that there should be an angular example of this - can you please provide? (thanks)

The solution i went with was to add a rule named “Add user role” defined as

function (user, context, callback) {
  const namespace = 'http://schemas.microsoft.com/ws/2008/06/identity/claims';
  const assignedRoles = (context.authorization || {}).roles;

  let idTokenClaims = context.idToken || {};
  let accessTokenClaims = context.accessToken || {};

  idTokenClaims[`${namespace}/role`] = assignedRoles;
  accessTokenClaims[`${namespace}/role`] = assignedRoles;

  context.idToken = idTokenClaims;
  context.accessToken = accessTokenClaims;
  callback(null, user, context);
}

My Rules now looks like

2 Likes

Thanks for sharing that with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.