I am migrating roles to actions and I found one issue when it comes to updating users roles in an Login / Post login action.
I make use the permissions array of the access token in my application, so I activated RBAC and the option to add permissions in the access token.
In the Login / Post login action, I assign a role to the user if the user has no assigned roles yet. I use the Auth0 Management API to do this (https://auth0.github.io/node-auth0/module-management.ManagementClient.html#assignRolestoUser).
After the action has successfully run and the user logged in, the permissions array is empty in the access token. If this user does a relog, everything works as expected.
With rules, the permissions were also correctly filled after the first login.
Don’t use Management API call for this. You can add a custom roles claim in a post-login action like this:
/**
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
const namespace = 'https://my-app.example.com';
if (event.authorization) {
api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
}
}
Just to clarify: We need the permissions of the rule managed inside the Auth0 configuration in the access token. We do not need the rule as a custom claim in the access token. We only care about the permissions behind the roles.
Can anyone help with this topic? Jeffs proposal does not help, since we do not care about the roles which are assigned to the user. We only care about the permissions behind the roles assigned to the user.
With rules, everything worked fine. Isn’t this a bug inside the actions implementation?
@kl.auth This is correct - Assuming you RBAC enabled for the API and have toggled on the option to “Add Permissions in the Access Token” you should see them in your Access Token. Note that the ID Token will still only have the "namespace/roles": ["role"]
Unfortunately, only namespaced custom claims are currently supported:
To keep your custom claims from colliding with any reserved claims or claims from other resources, give them a globally unique name using a namespaced format.
Is this the same for groups coming from Azure AD? We are finding the Auth0 user has the groups from Azure AD but they are not available to do claim mapping when implementing a login Action.
As this topic is related to Actions and Rules & Hooks are being deprecated soon in favor of Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!