Roles and permissions from Auth0 Extension not being added to id token in Next app

melanie.alexandra · July 26, 2023, 9:58pm

I have Auth0 users that belong to Groups in the Auth0 Extension. Each group is a group of Roles. Each Role is a group of Permissions. Access to operations on the front and backend of my apps are dictated by what permissions they have.

I have an existing Rules object in the Auth Pipeline that adds rules and permissions to the id token, and it works for my old apps built with Create-React-App, but it does not seem to work for the NextJs app I just built.

I tried adding roles with this action:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://my-app.example.com';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
  }
}

However, this just adds

https://my-app.example.com/roles
: 
['admin']

to the user object, which isn’t particularly helpful. ‘admin’ is a group, which should be an object containing roles, which in turn should be objects containing permissions.

I understand I may have to use the Management API to get the information I want on the backend, but before I do that I want to understand what has changed that means my Create-React-App apps work to get the id token with roles and permissions, but my Next app doesn’t?

rueben.tiow · July 26, 2023, 10:54pm

Hi @melanie.alexandra,

Welcome to the Auth0 Community!

First, let me explain that the event.authorization.roles property in your Post-Login Action refers only to the Roles assigned to the user through the Authorization Core implementation instead of the Authorization Extension.

In this case, you will want to also add the user’s permissions granted by the role as a custom claim. This is also mentioned in our How to add Roles and Permissions to the ID Token using Actions? FAQ.

Now, as far as why it works in your React App and not in your Next.js App, I am not sure. Have you checked whether your users are being assigned to these roles and permissions in the Authorization Extension specifically for that application?

You will have to verify in the Authorization Extension:

The permission was created specifically for your Next.js app
The role was created specifically for your Next.js app
The user was assigned to the role that is for your Next.js app

For example:

Please let me know how this goes for you.

Thanks,
Rueben

melanie.alexandra · July 26, 2023, 11:29pm

That all makes sense - the app that’s working is for an Application in Auth0 that we pay for business users in the Organizations tab, whereas we don’t pay for organizations in the new one, so I guess it wouldn’t be able to access the Auth Extension permissions because the Users we created the Auth Extensions permissions apply to are members of organisations? Is that likely to be the case?

rueben.tiow · July 27, 2023, 9:22pm

Hi @melanie.alexandra,

Thanks for the reply.

You could always create new Roles and Permissions in your Authorization Extension that’s for your new Application, and then assign them to your users. Could you please try that and see if that works?

Let me also clarify that assigning roles to your user through an Organization is not the same as the assigning the roles through the Authorization Extension. If users are assigned to Roles in an Organization, you will not see the Roles assigned in the Authorization Extension and vice versa.

Thanks,
Rueben

system · August 10, 2023, 9:23pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.