Replace auth0-authorization-extension rule with an action

[philippsteinberg]

At the moment the extension uses a rule to add the groups, roles and permissions to the user. The rule is automaticly installed when adding the extension and part of this repo https://github.com/auth0/auth0-authorization-extension/blob/master/server/lib/rules/authorize.js

Since rules are deprecated this extenstion will no longer work out of the box after Nov 18, 2024 Is it planned to replace the rule with an action?

[RDP07]

Any answer here or date of when an answer might be coming for this?

[entropic489]

In the documentation for converting Rules to Actions, there's a limitation that directly affects this: https://auth0.com/docs/customize/actions/migrate/migrate-from-rules-to-actions#understand-limitations

Rules can add properties to the User object that then gets passed to subsequent Rules. Actions cannot do this.

[entropic489]

Got a workaround: you can use an Action to set a custom claim. User groups from Authorization Extension are synced to event.user.app_metadata.authorization.groups.

exports.onExecutePostLogin = async (event, api) => {
  const namespace = "https://test-namespace.com"
  const groups = event.user.app_metadata.authorization.groups;

  if (event.authorization) {
    // Set claims 
    api.idToken.setCustomClaim('${namespace}/groups', groups);
  }
};

Just can't override the reserved groups claim.

[simmerkaer]

That's cool and all, but what happens after November 18th, when the AuthorizationExtension rule no longer works and thus will not be setting the app_metadata values?

[hibiitt]

Hello, is there any information on this? I would like an answer to the last question from @simmerkaer.

[HirenPatel2791]

+1

[fujifilm-alinea]

+1

[mikvas-paf]

+1

[fsevilla06]

+1

[AndreaLandiArk]

+1

[hefnat]

+1

[AndreaLandiArk]

Got a workaround: you can use an Action to set a custom claim. User groups from Authorization Extension are synced to event.user.app_metadata.authorization.groups.

exports.onExecutePostLogin = async (event, api) => {
  const namespace = "https://test-namespace.com"
  const groups = event.user.app_metadata.authorization.groups;

  if (event.authorization) {
    // Set claims 
    api.idToken.setCustomClaim('${namespace}/groups', groups);
  }
};

Just can't override the reserved groups claim.

I also resolved this way

[hefnat]

Got a workaround: you can use an Action to set a custom claim. User groups from Authorization Extension are synced to event.user.app_metadata.authorization.groups.

exports.onExecutePostLogin = async (event, api) => {
  const namespace = "https://test-namespace.com"
  const groups = event.user.app_metadata.authorization.groups;

  if (event.authorization) {
    // Set claims 
    api.idToken.setCustomClaim('${namespace}/groups', groups);
  }
};

Just can't override the reserved groups claim.

I also resolved this way

Since this is making use of the app_metadata field, I'm concerned it will stop working after EOL of Rules

[alphonsoTheGreat]

+1

[tomerblecher]

+1

[ichalyk]

+1

[ahmedrage]

It is pretty concerning that we haven't gotten an answer to this since April. Will this extension stop functioning on Nov 18? Do we need to migrate to the core authorization features?

[bndrgroup]

I have managed to successfully migrate the rule to an action, which checks the authorization extension API and then sets the fields on the app_metadata object on the user. I have kept the query checks the same as they were in my original rule.

My organisation does not use groups, but you should be able to uncomment the line and it should work.

You will need to:

1. Get the Extension URL from the previous rule / User Interface. It will look like https://TENANT_NAME.eu.webtask.run/STRING
2. Add Axios as a dependency in the rule (i did this for convenience, can probably also use fetch)
3. Get your API Key - you will need to set this as a secret on the rule.

/** 
 * This Action was migrated from Rule. 
 * Rule name: auth0-authorization-extension 
 * Rule ID: rul_PVNRdieUcyRSWRC3 
 * Created on 21/10/2024 
 */

/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
const axios = require("axios");
const EXTENSION_URL = "***REPLACE WITH THE URL FOUND IN YOUR RULE***";
exports.onExecutePostLogin = async (event, api) => {
   if (api.rules.wasExecuted('rul_PVNRdieUcyRSWRC3')) { 
       return;
   } 
  var audience = '';
  audience = audience || event.request.query?.audience;
  if (audience === 'urn:auth0-authz-api') {
    api.access.deny('no_end_users');
  }

  audience = audience || event.request.body?.audience;
  if (audience === 'urn:auth0-authz-api') {
    api.access.deny('no_end_users');
  }

  const getPolicyData = await getPolicy(event.user, event);

  if (getPolicyData.status !== 200) {
    api.access.deny('Authorization Extension: ' + (getPolicyData.data?.message || getPolicyData.status));
  }
    api.user.setAppMetadata('authorization', {
        permissions: getPolicyData.data.permissions,
        roles: getPolicyData.data.roles,
        // groups: getPolicyData.data.groups
    })
};

async function getPolicy(user, event) {
  let responseBody = {
    connectionName: event.connection?.name || user.identities[0]?.connection,
    groups: parseGroups(user.groups)
  };

  let response = await axios.post(EXTENSION_URL + "/api/users/" + user.user_id + "/policy/" + event.client.client_id,
    JSON.stringify(responseBody), {
      headers: {
        "x-api-key": event.secrets.auth_api,
        "Content-Type": "application/json"
      }
    });

  return response;
}

function parseGroups(data) {
  if (typeof data === 'string') {
    return data.replace(/,/g, ' ').replace(/\s+/g, ' ').split(' ');
  }
  return data;
}

I have another action that executes after this, that sets the values to the access token.

exports.onExecutePostLogin = async (event, api) => {
    const namespace = "https://auth.yournamespace.com";
    if (event.user.app_metadata.authorization) {
      const roles = event.user.app_metadata.authorization.roles;
      const permissions = event.user.app_metadata.authorization.permissions;
      // Set claims 
      api.idToken.setCustomClaim(`${namespace}/roles`, roles);
      api.idToken.setCustomClaim(`${namespace}/permissions`, permissions);
    }
};

I do still think we need an official answer from Auth0, but this should make the upcoming november date a little less scary!

[ahmedrage]

Thanks @bndrgroup!

I did also receive this response from Auth0 support:

I have looked into this and the Extensions and Rules are considered separate. Extensions will continue working as usual and are not included in the Rules EOL. There is a rule that gets created as part of the extension, this rule will continue to function as before.

I do not know how access to that rule will work however and do not have communication on it. I have asked internally for more clarity and will let you know as soon as I hear back.

[ahmedrage]

and also received this update from Auth0 support:

I have some additional information from our product management team to share.

After November the 18th (which is the Rules/Hooks deprecation deadline) the extension will still be able to install the Rule to your tenant. What this means is that the Rule will appear in your Auth0 tenant dashboard and can be viewed and it will run as normal (as in no change on this behavior). You will not be able to make modifications however to this Rule (or any other extension linked Rules).