Use Signed Access Token in a Post-Login Action API Request

Get Help
1

Hello!

We have an external permission service outside of Auth0 where we’d like to fetch permissions and then set these permissions as a customClaim on the accessToken. However, the permission service requires an Auth0 accessToken…

Inside a Post-Login action, we’re attempting to make an axios request w/ the accessToken as an Authorization header. This header value needs to be a signed Auth0 accessToken, and we’re trying to use the event.accessToken inside the scope of the Action. However, this accessToken does not seem to be a signed encoded jwt, but a basic javascript object (the body of the eventual jwt returned from Auth0)

Is the above workflow fundamentally wrong? Should we perhaps be making a separate permission request from the client and backend that require the permission for analysis, or is there a way to get the signed JWT from Auth0 to include in the Post-Login action axios request?

Some example code:

const axios = require('axios');
const namespace = 'https://example.com';
exports.onExecutePostLogin = async (event, api) => {
  let userPermissionsResponse = await axios.get(`https://<our-permission-service>/users/${event.user.user_id}/permissions`, {
    headers: {
      'Authorization': `Bearer ${event.accessToken}`
    }
  });
  if (userPermissionsResponse.data) {
    api.accessToken.setCustomClaim(`${namespace}/permissions`, userPermissionsResponse.data);
  }
}

Thanks for any help you can provide!

Tommy

2

Hi @tadamski

The user’s access token is not available until after the action chain completes.

You have a couple of options:

  • Use a M2M access token and pass the user ID as a parameter
  • Use a redirect action, do silent auth in the redirect app to get an access token, and have the redirect app call the permissions API.

There are probably more, but that’s what I have off the top of my head.

John

3 Likes
3

Hi @john.gateley, thanks for the info!

I think we’re going to try out the M2M flow and provision an accessToken and then use that to make the request to the permission service. Thanks for the idea and I’ll let you know how it goes!

Tommy

1 Like
4

Hi @john.gateley,

I have a similar use case where I want to extend the access token custom claims with data from our API. The API is secured by an Auth0 signed JWT.

Could you possibly clarify what you mean by

Use a M2M access token and pass the user ID as parameter

or more guidance on how to implement this?

I’m trying to add mapped data from our database depending on app data from the Authorization extension. The basic flow should be like this:

  1. Login request
  2. Post-login triggers
  3. Get app-data from Authorization extension
  4. Make API call to fetch mapped data depending on auth-groups from previous step
  5. Append auth-groups and fetched data to token as custom claim
  6. Issue token
  7. Finish

Maybe there is a better way that I’m unaware of.

4 Likes
6

Hey team! :waving_hand:

Since this topic touches Auth0 Actions, quick heads-up that we’re hosting an Ask Me Anything dedicated to Actions with Gaston Danilo Asis Sanchez, Senior Technical Product Manager. We’ll cover practical usage, new capabilities like Transaction Metadata and Actions Types, plus a peek at what’s next. :sparkles:

  • Submit questions now through Aug 26 :writing_hand:
  • Get detailed written answers live on Aug 27, 9–11 AM PT :speech_balloon:

Earn community points + a badge :trophy:. If you’re exploring how Actions can streamline your auth flows, this is a great time to get direct guidance from the team.
Join the AMA & drop your questions here: August 27 Auth0 Community Ask Me Anything: Actions

Dawid