Setting a user role in an action will not update the permissions in the access token

kl.auth · October 6, 2021, 10:42am

I am migrating roles to actions and I found one issue when it comes to updating users roles in an Login / Post login action.

I make use the permissions array of the access token in my application, so I activated RBAC and the option to add permissions in the access token.

In the Login / Post login action, I assign a role to the user if the user has no assigned roles yet. I use the Auth0 Management API to do this (https://auth0.github.io/node-auth0/module-management.ManagementClient.html#assignRolestoUser).
After the action has successfully run and the user logged in, the permissions array is empty in the access token. If this user does a relog, everything works as expected.

With rules, the permissions were also correctly filled after the first login.

Can you help me with this issue?

jeff0 · October 6, 2021, 11:03am

Hi @kl.auth

Welcome to Auth0 Community !!!

Don’t use Management API call for this. You can add a custom roles claim in a post-login action like this:

/**
 * @param {Event} event - Details about the user and the context in which they are logging in.
 * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
 */
exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://my-app.example.com';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
  }
}

Hope it helps

Thanks
Jeff

kl.auth · October 7, 2021, 1:50pm

Just to clarify: We need the permissions of the rule managed inside the Auth0 configuration in the access token. We do not need the rule as a custom claim in the access token. We only care about the permissions behind the roles.

kl.auth · October 11, 2021, 8:02am

Can anyone help with this topic? Jeffs proposal does not help, since we do not care about the roles which are assigned to the user. We only care about the permissions behind the roles assigned to the user.

With rules, everything worked fine. Isn’t this a bug inside the actions implementation?

ruben.bresler · November 19, 2021, 7:03pm

What i did is to add roles to users using a Post Registration User action.

exports.onExecutePostUserRegistration = async (event) => {
  
  const ManagementClient = require('auth0').ManagementClient;

  var management = new ManagementClient({
      domain: event.secrets.CLI_DOMAIN,
      clientId: event.secrets.CLI_CLIENT_ID,
      clientSecret: event.secrets.CLI_CLIENT_SECRET,
      scope: 'read:roles update:roles'
  });

  const params =  { id : event.user.user_id};
  const data = { "roles" : [event.secrets.DEFAULT_ROLE_ID]};

  management.users.assignRoles(params, data, (err, user) => {
    if (err) {
      // Handle error.
      console.log(err);
    } else {
      console.log('user role assigned');
    }
  });
};

denis.volokh · March 8, 2022, 10:23am

I have the same issue, after updating the user’s role in action permissions array is empty in the access token.

nc14 · March 22, 2022, 3:44pm

how do you set the roles to be a key:value pair? When I try this in my console I get

{
  'https://localhost:3000.com/roles': [ 'user' ],
  nickname: 'test',
  name: 'test@test.com',
  picture: 'https://s.gravatar.com/avatar/b642b4217b34b1e8d3bd915fc65c4452?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fte.png',
  updated_at: '2022-03-22T14:26:31.519Z',
  email: 'test@test.com',
  email_verified: false,
  sub: 'auth0|6228c2435b5a0b00700561f1'
}

Why does it force a namespace? can’t I just add it so it’s

roles:[list of roles}

?

kcwardwell · March 23, 2022, 6:01pm

The code in jeff0 post will place permissions in the access token if the permission are assigned to roles through the dashboard.

tyf · March 23, 2022, 9:36pm

Thanks for sharing @kcwardwell !

@kl.auth This is correct - Assuming you RBAC enabled for the API and have toggled on the option to “Add Permissions in the Access Token” you should see them in your Access Token. Note that the ID Token will still only have the "namespace/roles": ["role"]

tyf · March 23, 2022, 9:55pm

Unfortunately, only namespaced custom claims are currently supported:

To keep your custom claims from colliding with any reserved claims or claims from other resources, give them a globally unique name using a namespaced format.

nicholas.archibald · March 24, 2022, 9:23pm

Is this the same for groups coming from Azure AD? We are finding the Auth0 user has the groups from Azure AD but they are not available to do claim mapping when implementing a login Action.

konrad.sopala · January 8, 2024, 12:05pm

Hey there!

As this topic is related to Actions and Rules & Hooks are being deprecated soon in favor of Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!