Unable to Retrieve Custom "Roles" Claim from Access Token at /userinfo Endpoint

Hello Auth0 Community,

I am having trouble retrieving custom “roles” claims from an access token using the /userinfo endpoint. I’ve set up an Auth0 Identity Provider (IdP) and Service Provider (SP), where the SP redirects a user to the IdP for authentication. Upon authentication, the user is redirected back to my application, and both access and ID tokens are generated successfully.

I’ve added custom “roles” claims to these tokens, expecting to retrieve them through the /userinfo endpoint. In my IdP, I’ve added the following custom login action:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'abcnamespace';
  api.idToken.setCustomClaim(`${namespace}/role`, event?.authorization?.roles);
  api.accessToken.setCustomClaim(`${namespace}/role`, event?.authorization?.roles);

  api.idToken.setCustomClaim(`${namespace}/testdata`, "123");
  api.accessToken.setCustomClaim(`${namespace}/testdata`, "123");

  if (event?.user?.user_metadata?.first_name) {
      api.idToken.setCustomClaim(`${namespace}/given_name`, event.user.user_metadata.first_name);
      api.accessToken.setCustomClaim(`${namespace}/given_name`, event.user.user_metadata.first_name);
  }
  if (event?.user?.user_metadata?.last_name) {
      api.idToken.setCustomClaim(`${namespace}/family_name`, event.user.user_metadata.last_name);
      api.accessToken.setCustomClaim(`${namespace}/family_name`, event.user.user_metadata.last_name);
  } 
}

Here, “family_name” and “given_name” are added correctly to the tokens and can be retrieved using the /userinfo endpoint. However, the “role” claims, while they appear in the user’s rawData on the Auth0 SP dashboard (albeit without the namespace), cannot be retrieved from either the access token or /userinfo endpoint.

From the client-side, I pass the audience as follows:

<Auth0Provider {...providerConfig}
        scope="openid profile email read:current_user update:current_user_metadata"
        audience={`my-audience-here`}
    >
        {children}
</Auth0Provider>

I also attempted adding “read:roles read:role_members” to the scope, but without success.

FYI, I have read almost all the custom claims posts in the auth0 community but nothing seems to work, including this How to add Roles and Permissions to the ID Token using Actions?

I would appreciate any insights or suggestions on how to correctly add and retrieve these custom “role” claims from the access token and the /userinfo endpoint.

Hello @Alex0 welcome to the community!

Thanks for the detailed description Everything code-wise looks fine, so I’m guessing it’s a configuration issue somewhere.

Where exactly are you referring to that you can see the user’s associated roles?

Keep us posted!

They appear in the User Management dashboard for my auth0 SP:

Screenshot 2023-07-20 at 5.21.20 PM3064×286 34.5 KB

Thanks for confirming! How are you assigning roles? Does the user have the same roles in “Roles” section in the same User Management screen?

So I’m assigning the user roles in my IdP using User Management>Roles, so a user with 2 roles would look like this on my IdP:

Screenshot 2023-07-20 at 5.34.49 PM3248×830 172 KB

The Raw Json Section would not show the role claim in the IdP, However on the SP, the roles would show in the Raw JSON section:

The roles section in the SP would be empty, which I think is expected:

Screenshot 2023-07-20 at 5.35.10 PM3140×690 142 KB

Hi @Alex0,

I’m jumping in for @tyf while he’s out.

Make sure you are following the Create Custom Claims namespace guidelines.

Specifically:

Use the following guidelines for namespace identifiers:

• Use any non-Auth0 HTTP or HTTPS URL as a namespace identifier. Auth0 domains cannot be used as namespace identifiers, and include:
  • auth0.com
  • webtask.io
  • webtask.run
• Use a URL that you control as a namespace identifier; this allows you to avoid the risk that someone else is using the same namespace. The namespace URL does not have to point to an actual resource. It is only used as an identifier; it will not be called.
• Begin the URL with http:// or https://.
• Create multiple namespaces, as needed.

Once you have chosen your namespace, append the claim to it to create a namespaced claim, which can be added to a token. For example:

http://www.example.com/favorite_color

Thanks @dan.woda, In the original post I shared code where I set up my namespace as const namespace = 'abcnamespace'; still not showing up in the access token. I also followed this guide: How to add Roles and Permissions to the ID Token using Actions? and also this Create Custom Claims

Note that neither https://abcnamespace nor abcnamespace would show up in the access token or userinfo endpoint

Can you try http://www.example.com and see if that works?

@dan.woda I tried using http://www.example.com, and that didn’t work either.

Okay, I was able to test it and confirm both the original code you posted (with the abc... namespace), and with the http://www.example.com namespace.

I used that Action and was able to retrieve the custom claims in the ID and Access Tokens and from the userinfo endpoint.

I’m wondering if maybe the Action isn’t firing at all. Can you please confirm it has been deployed and has been added to the post login actions flow? (If this doesn’t solve it, please DM me your tenant name so I can look at your config, thanks.)

image1404×1197 150 KB

image1432×777 49.6 KB

Thank you for looking into this, The action has been deployed and apparently is triggering as I can see the custom claim (although without the namespace) returned in the raw user object in the SP, I uploaded some screenshots a few days ago.

I’ve DM’ed you, my tenant name.

Perfect, I replied in the DM.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.