Using Rules with the Authorization Extension
You can use rules with the Authorization Extension to do things like:
- Add custom claims to the issued token
- Determining the user's group membership, roles and permissions
- Storing the user's groups, roles and permissions info as part of the
- Adding the user's groups, roles and permissions to the outgoing token (which can be requested via the
openid groups permissions rolesscope)
Because the above logic is part of a rule, it will only be executed in the context of a login. If users are added to or removed from a group, this change will only be reflected in Auth0 after the user's next login.
Add Custom Claims to the Issued Token
If you'd like to add custom claims to your tokens, you can do so by creating additional rule that allows the Authorization Extension to do so.
This rule must run after the Authorization Extension rule. To make sure this happens, make sure that you place it below the Authorization Extension rule.
Control App Access
You can also write rules that are executed after the Authorization Extension rule to do things like control access to your application. One method of doing this is to specify the roles that are required for each application using the application metadata.
Step 1: Set the Application Metadata's
In this step, you'll set the Application's metadata with its roles, which are groups of permissions that you've grouped together to create a specific set of functionality. You can think of this step as "tagging" the Application so that the rules you'll set up in the next step know which Application to act on.
1. To set the
context.clientMetadata field with
required_roles, begin by selecting the application you want to work with in the dashboard.
This brings you to the application's Settings. Scroll down and click Show Advanced Settings at the bottom of the page.
- Under Application Metadata add an item setting the Key to
required_rolesand in Value field list your roles in comma separated style. Click the CREATE button to add the field.
- When finished click Save Changes. Now when you login from this application, in
context.clientMetadatayou will have the
required_roleswith the roles value string you entered.
Step 2: Create the Rule Enforcing Application Roles
Now that each Application has a role associated with it, you can create the rule executes with this piece of application information in context.
required_roles, create a new rule with the following body: