Update Roles from Identity Provider

We’re working on a project that is using Auth0 as an OpenID Connect 1.0 Identity Provider and we’re storing the users roles on Auth0. Auth0 is setup to pass the roles with the response object when the user logs in and Ignition is setup to assign those roles to the users session through the Identity Providers User Attribute Mapping Roles (Type: direct, Source: ID Token Claims). This leads to the problem that to update a users role, they have to logout and log back in which is annoying at best and a security issue at worst.

Is there a way to get Ignition to update the users roles from the 3rd party Identity Provider?

dvaughn, would you be able to share how you were able to successfully map the Auth0 role to the user role using User Attribute Mapping? Auth0 is forcing me to use a URL as a custom namespace to pass the custom token necessary to send role information. My response document (via Test Login) has the information, but everything I try in User Attribute Mapping results in the roles being blank. Any suggestions?

In Auth0 Auth Pipeline Rule:

const namespace = 'https://example.com/';

let roles = [];

if (metadata && metadata.roles) {
	roles = roles.concat(metadata.roles);

if (roles.length > 0) {
  context.idToken[namespace + 'roles'] = roles;

So the roles are an array of strings on the https://example.com/roles property.

Then over in Ignition, under the Identity Providers User Attribute Mapping, set the Roles section to the following:

Type: Direct
Source: ID Token Claims
Path: ["https://example.com/roles"]

Hope that helps.

You’re a lifesaver! I was missing the brackets in the Path mapping. /facepalm