Use Signed Access Token in a Post-Login Action API Request

Hello!

We have an external permission service outside of Auth0 where we’d like to fetch permissions and then set these permissions as a customClaim on the accessToken. However, the permission service requires an Auth0 accessToken…

Inside a Post-Login action, we’re attempting to make an axios request w/ the accessToken as an Authorization header. This header value needs to be a signed Auth0 accessToken, and we’re trying to use the event.accessToken inside the scope of the Action. However, this accessToken does not seem to be a signed encoded jwt, but a basic javascript object (the body of the eventual jwt returned from Auth0)

Is the above workflow fundamentally wrong? Should we perhaps be making a separate permission request from the client and backend that require the permission for analysis, or is there a way to get the signed JWT from Auth0 to include in the Post-Login action axios request?

Some example code:

const axios = require('axios');
const namespace = 'https://example.com';
exports.onExecutePostLogin = async (event, api) => {
  let userPermissionsResponse = await axios.get(`https://<our-permission-service>/users/${event.user.user_id}/permissions`, {
    headers: {
      'Authorization': `Bearer ${event.accessToken}`
    }
  });
  if (userPermissionsResponse.data) {
    api.accessToken.setCustomClaim(`${namespace}/permissions`, userPermissionsResponse.data);
  }
}

Thanks for any help you can provide!

Tommy

Hi @tadamski

The user’s access token is not available until after the action chain completes.

You have a couple of options:

  • Use a M2M access token and pass the user ID as a parameter
  • Use a redirect action, do silent auth in the redirect app to get an access token, and have the redirect app call the permissions API.

There are probably more, but that’s what I have off the top of my head.

John

2 Likes

Hi @john.gateley, thanks for the info!

I think we’re going to try out the M2M flow and provision an accessToken and then use that to make the request to the permission service. Thanks for the idea and I’ll let you know how it goes!

Tommy

1 Like