Use Signed Access Token in a Post-Login Action API Request

Hello!

We have an external permission service outside of Auth0 where we’d like to fetch permissions and then set these permissions as a customClaim on the accessToken. However, the permission service requires an Auth0 accessToken…

Inside a Post-Login action, we’re attempting to make an axios request w/ the accessToken as an Authorization header. This header value needs to be a signed Auth0 accessToken, and we’re trying to use the event.accessToken inside the scope of the Action. However, this accessToken does not seem to be a signed encoded jwt, but a basic javascript object (the body of the eventual jwt returned from Auth0)

Is the above workflow fundamentally wrong? Should we perhaps be making a separate permission request from the client and backend that require the permission for analysis, or is there a way to get the signed JWT from Auth0 to include in the Post-Login action axios request?

Some example code:

const axios = require('axios');
const namespace = 'https://example.com';
exports.onExecutePostLogin = async (event, api) => {
  let userPermissionsResponse = await axios.get(`https://<our-permission-service>/users/${event.user.user_id}/permissions`, {
    headers: {
      'Authorization': `Bearer ${event.accessToken}`
    }
  });
  if (userPermissionsResponse.data) {
    api.accessToken.setCustomClaim(`${namespace}/permissions`, userPermissionsResponse.data);
  }
}

Thanks for any help you can provide!

Tommy

Hi @tadamski

The user’s access token is not available until after the action chain completes.

You have a couple of options:

  • Use a M2M access token and pass the user ID as a parameter
  • Use a redirect action, do silent auth in the redirect app to get an access token, and have the redirect app call the permissions API.

There are probably more, but that’s what I have off the top of my head.

John

3 Likes

Hi @john.gateley, thanks for the info!

I think we’re going to try out the M2M flow and provision an accessToken and then use that to make the request to the permission service. Thanks for the idea and I’ll let you know how it goes!

Tommy

1 Like

Hi @john.gateley,

I have a similar use case where I want to extend the access token custom claims with data from our API. The API is secured by an Auth0 signed JWT.

Could you possibly clarify what you mean by

Use a M2M access token and pass the user ID as parameter

or more guidance on how to implement this?

I’m trying to add mapped data from our database depending on app data from the Authorization extension. The basic flow should be like this:

  1. Login request
  2. Post-login triggers
  3. Get app-data from Authorization extension
  4. Make API call to fetch mapped data depending on auth-groups from previous step
  5. Append auth-groups and fetched data to token as custom claim
  6. Issue token
  7. Finish

Maybe there is a better way that I’m unaware of.

4 Likes

Hey there!

As this topic is related to Actions and Rules & Hooks are being deprecated soon in favor of Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!