How to get the roles in Auth0's user management to be added in the JWT?

Question

I have an Auth0 application and I'm maintaining roles through the User Management. I would like to get those roles that are assigned to a user to be added to the JWT returned.

I do have the following in the openid_connect_configuration.conf

map $host $oidc_scopes {
    default "openid+profile+email+offline_access+openid roles";
}

i have the following in the /.well-known/openid-configuration

{
    ...
    "scopes_supported": [
        "openid",
        "profile",
        "offline_access",
        "name",
        "given_name",
        "family_name",
        "nickname",
        "email",
        "email_verified",
        "picture",
        "created_at",
        "identities",
        "phone",
        "address"
    ],
    "response_types_supported": [
        "code",
        "token",
        "id_token",
        "code token",
        "code id_token",
        "token id_token",
        "code token id_token"
    ],
    "code_challenge_methods_supported": [
        "S256",
        "plain"
    ],
    "response_modes_supported": [
        "query",
        "fragment",
        "form_post"
    ],
    "subject_types_supported": ["public"],
    "id_token_signing_alg_values_supported": [
        "HS256",
        "RS256"
    ],
    "token_endpoint_auth_methods_supported": [
        "client_secret_basic",
        "client_secret_post"
    ],
    "claims_supported": [
        "aud",
        "auth_time",
        "created_at",
        "email",
        "email_verified",
        "exp",
        "family_name",
        "given_name",
        "iat",
        "identities",
        "iss",
        "name",
        "nickname",
        "phone_number",
        "picture",
        "sub"
    ],
    "request_uri_parameter_supported": false
}

How do I set things in Auth0 to return the roles assigned to the logged in user? I have tried looking into the documentation, but I had no luck.

Answer 1

I found my answer through exploring the extensions in Auth0. I installed the Auth0 Authorization extension. I enabled the groups and roles.

I then added the following rule:

function setRolesToUser(user, context, callback) {
  // Roles should only be set to verified users.
  if (!user.email || !user.email_verified) {
    return callback(null, user, context);
  }

  user.app_metadata = user.app_metadata || {};

  auth0.users
    .updateAppMetadata(user.user_id, user.app_metadata)
    .then(function () {
      context.idToken['https://example.com/auth'] = user.app_metadata.authorization;
      callback(null, user, context);
    })
    .catch(function (err) {
      callback(err);
    });
}

I get the following as the JWT payload:

{
    "https://example.com/auth": {
        "groups": ["Samples"],
        "roles": ["Editor"]
    },
    "sub": "auth0|xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "nickname": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "email_verified": true,
    "iss": "https://dev-xxxxxxxxxx.us.auth0.com/",
    "updated_at": "2022-04-29T20:01:14.585Z",
    "iat": 1.651330616E9,
    "picture": "https://s.gravatar.com/avatar/a705adb3d5d8530c35c41a9de260cd3c?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Flo.png",
    "exp": 1.651366616E9,
    "name": "xxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxx",
    "aud": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "nonce": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "email": "[email protected]"
}