Unable to add role to access token

I’m a bit at my wit’s end with rules… I’m following the PostgREST documentation’s suggestion (Overview of Role System — PostgREST 7.0.1 documentation) for adding a “role” field to an access token, but I simply cannot get it to work. My rule currently looks like this:

function addRoleToUser(user, context, callback) {
    const namespace = "http://raceday.watch/";

    user.app_metadata = user.app_metadata || {};
    context.accessToken[namespace + "role"] = user.app_metadata.role;
    callback(null, user, context);
}

However, any acquired access token never contains this role field:

{
    "iss": "https://raceday.us.auth0.com/",
    "sub": "wN0rNjxoHAuMdmneHM4jRc07a2pN0syK@clients",
    "aud": "http://raceday.watch",
    "iat": 1614258673,
    "exp": 1614345073,
    "azp": "wN0rNjxoHAuMdmneHM4jRc07a2pN0syK",
    "gty": "client-credentials"
}

Please help!

Hi @ScottKnick

First, go to Extensions in your tenant/dashboard and enable the Real Time Webtask Logs extension.
Open it up so you have the logs screen.

Then add some console.log statements to your rule.

It should help you figure out what is going on.

John

Ya, I’ve used that, but nothing ever shows up. This makes me feel like my rule is never fired. Is there something you have to do to tie it to an API or application? It is enabled.

Hi @ScottKnick

If it looks like your rule is never firing, it probably isn’t.
Make sure you are authenticating against the same tenant the rule is in.
Maybe your app is using the IDs from your dev tenant and you are changing/looking at the staging tenant rule?

You should be able to create a rule that returns an unauthorized error and fails all logins, if that is not working you have something like I described above with the tenant situation.

John

I just added a different rule that only denies access, but I still get an access token:

function userWhitelist(user, context, callback) {
  return callback(new UnauthorizedError('Access denied.'));
}

However, I only have one tenant. I don’t see how the rules can’t be firing.

Even the logs show an access token being granted:

image

I’m at a loss. Any other ideas?

Hi @ScottKnick

You are using client credentials. Rules are not executed for the client credentials grant, only for user authentications.

How can you have user metadata (app_metadata in your sample above) if you are using client credentials?

So, you can switch to auth code or auth code + PKCE and have an actual user login, and use your rules. Or you can use the client credentials hook to access your token (in place of rules).

John

Consider me thoroughly befuddled by everything. I don’t want to sound unappreciative of what Auth0 provides and the complexities it provides a means of managing, but I feel like I need a Master’s degree in OAuth and similar topics to make any headway here!

I guess the thing that I’m really struggling with is conceptually coming to terms with the concepts of Applications and APIs and how they relate to each other. I think my problem in this case is that I’m using the incorrect application type… By using Machine to Machine, I’m not going to be able to login as an actual user, and therefore adding a role isn’t relevant. Does that sound right?

Hi Scott,

That is correct: Machine to Machine also known as Client Credentials, is used for backend applications to communicate with APIs. There is no end user involved in this.

What kind of application are you using? It is a SPA (all logic in the browser in Javascript) or a classic web app (a mostly HTML front end with a backend handling logic) or a mobile/native app?

I’d suggest going to the dashboard:

  • Create a new application
  • Choose the appropriate kind (SPA, classic, native, but not M2M)
  • Choose your tech stack (there will be many listed)
  • Download the quickstart that results and compile and run it.

This should get you a basic auth flow going, then you can continue from there.

John

Thanks. Your description of why choosing SPA (all logic in the browser) vs. a “classic” web app (a mostly HTML front end with a backend handling logic) just made it much clearer why that matters! If that description of each application type isn’t already present in the documentation, I would get it added! :slight_smile:

I’ll keep playing with it. Thanks for the help thus far.

1 Like

No worries! We are here for ya!