I have created an API and added some custom scopes, such as Message:Read
, Users:Delete
.
Where do I assign these scopes to a user? For example, that user Bob has the scope Message:Read
.
I have created an API and added some custom scopes, such as Message:Read
, Users:Delete
.
Where do I assign these scopes to a user? For example, that user Bob has the scope Message:Read
.
If you want to restrict the set of scopes that can be requested on a per-user basis then you can do so by implementing the associated access policy through rules.
A very simple rule example with an hardcoded access policy follows:
function (user, context, callback) {
var _ = require("lodash");
var req = context.request;
// Get requested scopes
var scopes = (req.query && req.query.scope) || (req.body && req.body.scope);
// Normalize scopes into an array
scopes = (scopes && scopes.split(" ")) || ];
// Restrict the access token scopes according to the current user
context.accessToken.scope = restrictScopes(user, scopes);
callback(null, user, context);
function restrictScopes(user, requested) {
// Full list of scopes available hardcoded for demo purposes
var all = "read:examples", "write:examples"];
// Applies hardcoded logic to restrict the possible scopes;
// replace with your access control logic that can perform
// external requests or use data available at the user level
var allowed;
if (user.email === "user1@example.com") {
allowed = "read:examples"];
} else {
allowed = all;
}
// Intersect allowed with requested to allow the client
// application to request less scopes than all the ones the
// user has actually access to. For example, the client
// application may only want read access even though the
// user has write access
return _.intersection(allowed, requested);
}
}
You should be able to reuse most of it though and just replace the logic that happens within the restrictScopes
function to actually apply your business logic. Have in mind that the above is a very simplistic implementation as it assumes a single audience and does not take in consideration OIDC scopes that may or may not be important for your scenario; check the answer on this other question for an example of a rule that has notion of OIDC scopes.
Thanks,
But I thought I can apply the scopes to a User in the App_MetaData field?
Or have I misunderstood.
Essentially, I want to secure certain RESTful endpoints to only those users who have the permission.
Thanks
Thanks,
But I thought I can apply the scopes to a User in the App_MetaData field?
Or have I misunderstood.
Essentially, I want to secure certain RESTful endpoints to only those users who have the permission.
Thanks
You can store the information that allows you to make the decision in app_metadata
; however, you would still use the rule to check if the user has the right app_metadata
information and issue the token with the scopes in accordance to the metadata.
The recent recommendations for how to implement this with Auth0 RBAC can be found on this QA.
The recent recommendations for how to implement this with Auth0 RBAC can be found on this QA.