-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace auth0-authorization-extension rule with an action #379
Comments
Any answer here or date of when an answer might be coming for this? |
In the documentation for converting Rules to Actions, there's a limitation that directly affects this: https://auth0.com/docs/customize/actions/migrate/migrate-from-rules-to-actions#understand-limitations Rules can add properties to the User object that then gets passed to subsequent Rules. Actions cannot do this. |
Got a workaround: you can use an Action to set a custom claim. User groups from Authorization Extension are synced to
Just can't override the reserved |
That's cool and all, but what happens after November 18th, when the AuthorizationExtension rule no longer works and thus will not be setting the app_metadata values? |
Hello, is there any information on this? I would like an answer to the last question from @simmerkaer. |
+1 |
5 similar comments
+1 |
+1 |
+1 |
+1 |
+1 |
I also resolved this way |
Since this is making use of the app_metadata field, I'm concerned it will stop working after EOL of Rules |
+1 |
2 similar comments
+1 |
+1 |
It is pretty concerning that we haven't gotten an answer to this since April. Will this extension stop functioning on Nov 18? Do we need to migrate to the core authorization features? |
I have managed to successfully migrate the rule to an action, which checks the authorization extension API and then sets the fields on the app_metadata object on the user. I have kept the query checks the same as they were in my original rule. My organisation does not use groups, but you should be able to uncomment the line and it should work. You will need to:
/**
* This Action was migrated from Rule.
* Rule name: auth0-authorization-extension
* Rule ID: rul_PVNRdieUcyRSWRC3
* Created on 21/10/2024
*/
/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
const axios = require("axios");
const EXTENSION_URL = "***REPLACE WITH THE URL FOUND IN YOUR RULE***";
exports.onExecutePostLogin = async (event, api) => {
if (api.rules.wasExecuted('rul_PVNRdieUcyRSWRC3')) {
return;
}
var audience = '';
audience = audience || event.request.query?.audience;
if (audience === 'urn:auth0-authz-api') {
api.access.deny('no_end_users');
}
audience = audience || event.request.body?.audience;
if (audience === 'urn:auth0-authz-api') {
api.access.deny('no_end_users');
}
const getPolicyData = await getPolicy(event.user, event);
if (getPolicyData.status !== 200) {
api.access.deny('Authorization Extension: ' + (getPolicyData.data?.message || getPolicyData.status));
}
api.user.setAppMetadata('authorization', {
permissions: getPolicyData.data.permissions,
roles: getPolicyData.data.roles,
// groups: getPolicyData.data.groups
})
};
async function getPolicy(user, event) {
let responseBody = {
connectionName: event.connection?.name || user.identities[0]?.connection,
groups: parseGroups(user.groups)
};
let response = await axios.post(EXTENSION_URL + "/api/users/" + user.user_id + "/policy/" + event.client.client_id,
JSON.stringify(responseBody), {
headers: {
"x-api-key": event.secrets.auth_api,
"Content-Type": "application/json"
}
});
return response;
}
function parseGroups(data) {
if (typeof data === 'string') {
return data.replace(/,/g, ' ').replace(/\s+/g, ' ').split(' ');
}
return data;
} I have another action that executes after this, that sets the values to the access token. exports.onExecutePostLogin = async (event, api) => {
const namespace = "https://auth.yournamespace.com";
if (event.user.app_metadata.authorization) {
const roles = event.user.app_metadata.authorization.roles;
const permissions = event.user.app_metadata.authorization.permissions;
// Set claims
api.idToken.setCustomClaim(`${namespace}/roles`, roles);
api.idToken.setCustomClaim(`${namespace}/permissions`, permissions);
}
}; I do still think we need an official answer from Auth0, but this should make the upcoming november date a little less scary! |
Thanks @bndrgroup! I did also receive this response from Auth0 support:
|
and also received this update from Auth0 support:
|
At the moment the extension uses a rule to add the groups, roles and permissions to the user.
The rule is automaticly installed when adding the extension and part of this repo
https://github.com/auth0/auth0-authorization-extension/blob/master/server/lib/rules/authorize.js
Since rules are deprecated this extenstion will no longer work out of the box after Nov 18, 2024
Is it planned to replace the rule with an action?
The text was updated successfully, but these errors were encountered: