Unable to Retrieve Custom "Roles" Claim from Access Token at /userinfo Endpoint

Alex0 · July 20, 2023, 11:42pm

Hello Auth0 Community,

I am having trouble retrieving custom “roles” claims from an access token using the /userinfo endpoint. I’ve set up an Auth0 Identity Provider (IdP) and Service Provider (SP), where the SP redirects a user to the IdP for authentication. Upon authentication, the user is redirected back to my application, and both access and ID tokens are generated successfully.

I’ve added custom “roles” claims to these tokens, expecting to retrieve them through the /userinfo endpoint. In my IdP, I’ve added the following custom login action:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'abcnamespace';
  api.idToken.setCustomClaim(`${namespace}/role`, event?.authorization?.roles);
  api.accessToken.setCustomClaim(`${namespace}/role`, event?.authorization?.roles);

  api.idToken.setCustomClaim(`${namespace}/testdata`, "123");
  api.accessToken.setCustomClaim(`${namespace}/testdata`, "123");

  if (event?.user?.user_metadata?.first_name) {
      api.idToken.setCustomClaim(`${namespace}/given_name`, event.user.user_metadata.first_name);
      api.accessToken.setCustomClaim(`${namespace}/given_name`, event.user.user_metadata.first_name);
  }
  if (event?.user?.user_metadata?.last_name) {
      api.idToken.setCustomClaim(`${namespace}/family_name`, event.user.user_metadata.last_name);
      api.accessToken.setCustomClaim(`${namespace}/family_name`, event.user.user_metadata.last_name);
  } 
}

Here, “family_name” and “given_name” are added correctly to the tokens and can be retrieved using the /userinfo endpoint. However, the “role” claims, while they appear in the user’s rawData on the Auth0 SP dashboard (albeit without the namespace), cannot be retrieved from either the access token or /userinfo endpoint.

From the client-side, I pass the audience as follows:

<Auth0Provider {...providerConfig}
        scope="openid profile email read:current_user update:current_user_metadata"
        audience={`my-audience-here`}
    >
        {children}
</Auth0Provider>

I also attempted adding “read:roles read:role_members” to the scope, but without success.

FYI, I have read almost all the custom claims posts in the auth0 community but nothing seems to work, including this How to add Roles and Permissions to the ID Token using Actions?

I would appreciate any insights or suggestions on how to correctly add and retrieve these custom “role” claims from the access token and the /userinfo endpoint.

tyf · July 21, 2023, 12:15am

Hello @Alex0 welcome to the community!

Thanks for the detailed description Everything code-wise looks fine, so I’m guessing it’s a configuration issue somewhere.

Where exactly are you referring to that you can see the user’s associated roles?

Keep us posted!

Alex0 · July 21, 2023, 12:22am

They appear in the User Management dashboard for my auth0 SP:

tyf · July 21, 2023, 12:27am

Thanks for confirming! How are you assigning roles? Does the user have the same roles in “Roles” section in the same User Management screen?

Alex0 · July 21, 2023, 12:40am

So I’m assigning the user roles in my IdP using User Management>Roles, so a user with 2 roles would look like this on my IdP:

The Raw Json Section would not show the role claim in the IdP, However on the SP, the roles would show in the Raw JSON section:
Screenshot 2023-07-20 at 5.36.04 PM

The roles section in the SP would be empty, which I think is expected:

dan.woda · July 25, 2023, 3:37pm

Hi @Alex0,

I’m jumping in for @tyf while he’s out.

Make sure you are following the Create Custom Claims namespace guidelines.

Specifically:

Use the following guidelines for namespace identifiers:

Use any non-Auth0 HTTP or HTTPS URL as a namespace identifier. Auth0 domains cannot be used as namespace identifiers, and include:

auth0.com

webtask.io

webtask.run

Use a URL that you control as a namespace identifier; this allows you to avoid the risk that someone else is using the same namespace. The namespace URL does not have to point to an actual resource. It is only used as an identifier; it will not be called.

Begin the URL with http:// or https://.

Create multiple namespaces, as needed.

Once you have chosen your namespace, append the claim to it to create a namespaced claim, which can be added to a token. For example:

http://www.example.com/favorite_color

Alex0 · July 25, 2023, 4:12pm

Thanks @dan.woda, In the original post I shared code where I set up my namespace as const namespace = 'abcnamespace'; still not showing up in the access token. I also followed this guide: How to add Roles and Permissions to the ID Token using Actions? and also this Create Custom Claims

Note that neither https://abcnamespace nor abcnamespace would show up in the access token or userinfo endpoint

dan.woda · July 26, 2023, 12:55pm

Can you try http://www.example.com and see if that works?

Alex0 · July 26, 2023, 8:50pm

@dan.woda I tried using http://www.example.com, and that didn’t work either.

dan.woda · July 27, 2023, 1:15pm

Okay, I was able to test it and confirm both the original code you posted (with the abc... namespace), and with the http://www.example.com namespace.

I used that Action and was able to retrieve the custom claims in the ID and Access Tokens and from the userinfo endpoint.

I’m wondering if maybe the Action isn’t firing at all. Can you please confirm it has been deployed and has been added to the post login actions flow? (If this doesn’t solve it, please DM me your tenant name so I can look at your config, thanks.)

Alex0 · July 27, 2023, 7:42pm

Thank you for looking into this, The action has been deployed and apparently is triggering as I can see the custom claim (although without the namespace) returned in the raw user object in the SP, I uploaded some screenshots a few days ago.

I’ve DM’ed you, my tenant name.

dan.woda · July 28, 2023, 1:36pm

Perfect, I replied in the DM.

system · August 23, 2023, 2:40pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.