Receive list of granted permissions/roles for each user at time of login

SDK: Auth0.OidcClient.Core 3.2.4
Xamarin Forms

I first implemented Auth0 login in my Xamarin app a couple years ago. I’ve successfully had that working for quite some time. I can authenticate with Google, Facebook, or Twitter. Then I copy the important parts from the ClaimsPrincipal and tuck it away into secure on-device storage (like the keychain on iOS). That all works great.

I’ve just recently starting working on this app again. The problem that I was trying solve in the past and I am now needing to solve again is: how do I get roles and permissions for a given user when they login?

My scenario is this:

My mobile app needs to restrict access to content in the app based on three roles: Admin, Editor, and Public (or the absence of a role). I’ve setup roles and permissions in the Auth0 dashboard, but I’ve never been able to figure out how to either get those pieces of data in the original auth response, or fetch them later after login. I even tried setting up triggers to automatically assign new users to a “public” role, but I’m never able to see that role flow through into the ClaimsPrincipal when a user logs in.

I really need to figure this out, because I’m at the point in development where I need to start restricting some functionality based on roles. Are there any end-to-end examples of how to achieve this?? (I’m not talking about QuickStarts…those don’t go far enough). I spent many many hours trying to figure this out, and I’d really appreciate some help trying solve it. Thanks.

Ok, wow…either I completely missed the roles on the ClaimsPrincipal last time, or maybe something changed since the last time I tried to figure this out. In any case, here’s the role claim right there on the ClaimsPrincipal in the login response:

…and it’s because I’m using this custom rule in the Auth Pipeline:

function (user, context, callback) {
  const assignedRoles = (context.authorization || {}).roles;
  const idTokenClaims = context.idToken || {};

  idTokenClaims['https://schemas.[my domain]/roles'] = assignedRoles;

  callback(null, user, context);