The token has no roles. I’ve added a role to a user in Auth0. I created an action to add the role to the token after login (link to doc w/ sample). I’ve read through many similar-sounding posts here in Discourse.
The token has these keys.
[
"family_name",
"given_name",
"name",
"nickname",
"picture",
"sub",
"updated_at"
]
How do I add the user’s roles to the token?
I should clarify that the Action I created is active on the Login/Post Login flow for the same tenant as the user that is assigned a role.
My use case is matching token roles with Caddy Security (link to doc). If the roles claim, or one of the other claims where roles can appear are populated, then I can authorize requests on that basis.
Are you including the Organization ID in your Authorization request? If so, you need to assign a role from the Organization to ensure that the role is included in the token.
Thank you for the reply. I understand organizations to be an optional feature. I’m able to add roles without using the organizations feature. Are you saying the example I linked for the login flow action only applies to tenants that are subscribed to a non-free plan with the organization feature enabled?
I’ve changed focus from setting a custom claim to setting app_metadata because I learned that my application is already looking in app_metadata.authorization.roles in the token to find roles.
My login action is like this:
exports.onExecutePostLogin = async (event, api) => {
if (event.authorization) {
var authorization = {"roles": event.authorization.roles}
api.user.setAppMetadata(`authorization`, authorization);
}
}
This does have the intended effect of populating app_metadata. Now I can at least be certain the action is functioning.
In my application (Caddy Security), I can see the OIDC id token and OAuth access token are received. The id token looks normal to me, but the access token has a null claimset.
There are no characters between the . separators, only the JWT header and signature are defined.
The reason for no character set in the token because required parameters not in Authorization request.
Sample Authorization request
https://<Domain>/authorize
?response_type=code
&client_id=<Client ID >
&redirect_uri=
http://localhost:4200/home
&scope=openid%20profile%20email
Action to add roles
exports.onExecutePostLogin = async (event, api) => {
const namespace = 'Test_Role';
if (event.authorization) {
api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
console.log(event.authorization);
}
};
The above mentioned action code will add user roles to access token.
It will only work on the specified domain name in the URL. It will add other tenant domain permissions.
please share the status if you have been able to achieve this on your end.
To clarify, the value of <Domain> in the request example must match the value of namespace in the action example?
It is Auth0 Domain. You can find this above Client ID
I understand the authorization request must be submitted to the tenant domain. I may have misunderstood when you said:
I interpreted this like “the custom claim will be added to the access token if the value of namespace matches the value of <Domain> (the tenant domain name).” Is that the correct interpretation?
Thank you for your help!
No. namespace can be anything. It is not problem.