Role id not available

So I want to add the user roles in the id and access token. Searched the forum, and found threads like this:

Problem is, it shows you how to add the role names (which you can change from the GUI). What you want to do, is add the unique role id to the tokens, but I can not find an example on how to do this.

PS! The link shows how to do this w/ rules, but I’ve implemented it w/ Actions. Same thing, it seems.

Hi @andreaslasrssen,

Welcome to the Auth0 Community!

AFAIK, role IDs aren’t available in actions. You could use a key value pair to add them to the action manually, but that is a bit of a workaround and would require updating.

Can you expand on the use case of having the ID in the token?

Hi @dan.woda.

The reason I want the ID in the token, is because it’s (seemingly) what’s identifying the role. The name can change. I can’t build privileges based on something that can change.

If it’s at all possible to do this as a workaround, would you care to show me how?

The name should only change if you (or another admin) change it. For the sake of argument; an admin could just as easily delete the role, the ID would be lost, and it would have the same effect as changing the name, although it would be unrecoverable.

I’m not sure I see the benefit of using ID vs name in the scenario you are describing. :thinking:

Additionally, the workaround I described above requires writing the role IDs directly in the action, which is not an elegant solution, and could cause pain down the road.

Not sure I buy your argument. There’s a huge difference between changing a name (that has no visual relation to app logic) and deleting the role itself. There’s a reason you can change the name, and not the ID. The ID is IDentifying. The name is a name.

Also: Auth0 Management API v2

Certainly, but neither will happen without admin intervention, and you can expect the name to remain static unless you choose to change it.

There isn’t a way to get role IDs in an Action without calling the management API (which is not recommended as you will quickly run into management API rate limits), or writing the values directly in the code.

Can you expand on your use case? When are you making the call to the management API?

In addition, you can create a Feature Request for this.

I understand that the name won’t change if you don’t change it, but there’s no indication in the GUI that changing the name will break the app. On the contrary, as you’re able to change the name, it’s presented as a harmless action. Which won’t be true when using the name as an identifier.

So, I did this for now, as I don’t expect to hit rate limits:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'namespace';
  
  if (event.authorization) {
    const ManagementClient = require('auth0').ManagementClient;

    const management = new ManagementClient({
        domain: event.secrets.domain,
        clientId: event.secrets.client_id,
        clientSecret: event.secrets.client_secret,
    });;

    try {
      const roles = await management.getUserRoles({id : event.user.user_id});
      api.idToken.setCustomClaim(`${namespace}/roles`, roles);
      api.accessToken.setCustomClaim(`${namespace}/roles`, roles);
    } catch (e) {
      // Handle error
    }
  }
};

As you say, it’s not ideal, but as far as I can tell it’s the only way. So much hassle, instead of Auth0 just exposing more than just the name of the role (for some reason). Will add an feature request.

As for my use case, I have a SPA, and use the role (id) to control GUI access.

Thanks for the additional context. I’ll post a link to the feature request when it comes in.

Already posted: Expose more than the name of the role in the context event

4 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.