Setting a user role in an action will not update the permissions in the access token

I am migrating roles to actions and I found one issue when it comes to updating users roles in an Login / Post login action.

I make use the permissions array of the access token in my application, so I activated RBAC and the option to add permissions in the access token.

In the Login / Post login action, I assign a role to the user if the user has no assigned roles yet. I use the Auth0 Management API to do this (ManagementClient - Documentation).
After the action has successfully run and the user logged in, the permissions array is empty in the access token. If this user does a relog, everything works as expected.

With rules, the permissions were also correctly filled after the first login.

Can you help me with this issue?

1 Like

Hi @kl.auth

Welcome to Auth0 Community !!!

Don’t use Management API call for this. You can add a custom roles claim in a post-login action like this:

/**
 * @param {Event} event - Details about the user and the context in which they are logging in.
 * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
 */
exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://my-app.example.com';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
  }
}

Hope it helps

Thanks
Jeff

1 Like

Just to clarify: We need the permissions of the rule managed inside the Auth0 configuration in the access token. We do not need the rule as a custom claim in the access token. We only care about the permissions behind the roles.

Can anyone help with this topic? Jeffs proposal does not help, since we do not care about the roles which are assigned to the user. We only care about the permissions behind the roles assigned to the user.

With rules, everything worked fine. Isn’t this a bug inside the actions implementation?

3 Likes

What i did is to add roles to users using a Post Registration User action.

exports.onExecutePostUserRegistration = async (event) => {
  
  const ManagementClient = require('auth0').ManagementClient;

  var management = new ManagementClient({
      domain: event.secrets.CLI_DOMAIN,
      clientId: event.secrets.CLI_CLIENT_ID,
      clientSecret: event.secrets.CLI_CLIENT_SECRET,
      scope: 'read:roles update:roles'
  });

  const params =  { id : event.user.user_id};
  const data = { "roles" : [event.secrets.DEFAULT_ROLE_ID]};

  management.users.assignRoles(params, data, (err, user) => {
    if (err) {
      // Handle error.
      console.log(err);
    } else {
      console.log('user role assigned');
    }
  });
};
1 Like

I have the same issue, after updating the user’s role in action permissions array is empty in the access token.

how do you set the roles to be a key:value pair? When I try this in my console I get

{
  'https://localhost:3000.com/roles': [ 'user' ],
  nickname: 'test',
  name: 'test@test.com',
  picture: 'https://s.gravatar.com/avatar/b642b4217b34b1e8d3bd915fc65c4452?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fte.png',
  updated_at: '2022-03-22T14:26:31.519Z',
  email: 'test@test.com',
  email_verified: false,
  sub: 'auth0|6228c2435b5a0b00700561f1'
}

Why does it force a namespace? can’t I just add it so it’s

roles:[list of roles}

?

The code in jeff0 post will place permissions in the access token if the permission are assigned to roles through the dashboard.

1 Like

Thanks for sharing @kcwardwell !

@kl.auth This is correct - Assuming you RBAC enabled for the API and have toggled on the option to “Add Permissions in the Access Token” you should see them in your Access Token. Note that the ID Token will still only have the "namespace/roles": ["role"]

1 Like

Unfortunately, only namespaced custom claims are currently supported:

To keep your custom claims from colliding with any reserved claims or claims from other resources, give them a globally unique name using a namespaced format.

1 Like

Is this the same for groups coming from Azure AD? We are finding the Auth0 user has the groups from Azure AD but they are not available to do claim mapping when implementing a login Action.