Extension rule uses root-level non-namespaced claims

[rolodato]

Specifically, these lines:

      // Update the outgoing token.
      user.groups = data.groups;
      user.roles = data.roles;
      user.permissions = data.permissions;

This has no effect when used with an OIDC-conformant login flow.

[nicosabena]

A possible workaround until this is fixed is to add a new rule that puts that info in namespaced claims:

function (user, context, callback) {
  // OIDC-Conformant pipeline will not return JWT tokens
  // with the non-namespaced "roles", "permissions" and/or "groups" custom claims
  // so let's add them manually

  context.idToken['https://mycustomdomain.com/claims/authorization/roles'] = user.roles;
  context.idToken['https://mycustomdomain.com/claims/authorization/permissions'] = user.permissions;
  context.idToken['https://mycustomdomain.com/claims/authorization/groups'] = user.groups;
  callback(null, user, context);
}

Make sure this rule runs after auth0-authorization-extension.

[sgmeyer]

+1 a customer ran into this today via the community.auth0.com

[sgmeyer]

I think we just need to add something like this to /lib/rules/authorize.js:

<% if (config.groupsInToken && !config.groupsPassthrough) { %>
    context.idToken['https://mycustomdomain.com/claims/authorization/groups'] = user.groups;<% } %>
    <% if (config.rolesInToken && config.rolesPassthrough) { %>
    context.idToken['https://mycustomdomain.com/claims/authorization/roles'] = user.roles;<% } %>
    <% if (config.permissionsInToken && config.permissionsPassthrough) { %>
    context.idToken['https://mycustomdomain.com/claims/authorization/permissions'] = user.permissions;<% } %>

The only thing is I don't know what URL namespace we'd want to use for the claim.

[emsearcy]

Just ran into this today.

The docs page https://auth0.com/docs/extensions/authorization-extension/v2/rules#add-custom-claims-to-the-issued-token says how to do this, but the Authorization Extension config page is very misleading because it says "Token contents" and "stored in the outgoing token", neither of which are true. All it does is makes Authorization extension groups/roles/permissions available to other rules.

In my case, I wanted to enable MFA for all users in a given group, and I had to go enable "Groups" under "token contents" so I could access Authz groups in my MFA rule. Has NOTHING to do with tokens.

If the above change is made that changes the behavior, while leaving the UI description in place, perhaps a suitable warning can be added when the user publishes? Or maybe just UI description can be changed to explain that it just updates the user object for rules, and link to the "add-custom-claims-to-the-issued-token" docs for how to add to a token, rather than changing the authz rule behavior?