Adding Groups, Roles and Permissions to your Auth0 users, for free!

In a previous post we discussed how to include Groups, Roles and Permissions in JWT access tokens returned from Auth0. This was based on using the Authorization Extension which requires being on one of the Auth0 paid tiers.

If you’re on a tight budget or only have a small number of users, a (potentially) more economical solution is to take advantage of the app_metadata fields available on Auth0-managed users (these are fields that are read-only to the user).

To maintain parity with previous example, simply add the following entry to a user in Auth0:

Manually adding permissions to a user.

…and then we need to create a new rule (or update the one we created previously) to grab this data from theapp_metadata property of the user:

Again, if everything works, you should end up with a JWT that (when decoded) looks something like this:

Decoded JWT with Groups, Roles and Permissions.

You can read more about reading and writing user metadata here.

As usual, if you found this useful, give us a shout out on Twitter and if you are looking for some help on a JavaScript project, hit us up @ https://toJS.io.