Accessing app-specific user permissions in front-end

dalec · March 16, 2020, 3:53pm

This question is essentially a follow-up to THIS ONE but that is locked so I had to create a new one.

So the problem is pretty simple. The response from a successful authorization contains an accessToken, which has in it all of the permissions that the user has for that specific API only. It also contains an idToken, which is the only thing that the UI should actually be looking at. Neither are encrypted or anything. There’s nothing stopping the UI from reading the permissions straight out of the accessToken except advice that we shouldn’t.

So the suggested solution is to make a rule which makes a call to the Auth0 API to get the user’s permissions and set them as a custom claim in the idToken. The list of permissions returned, however, are ALL permissions for every API that the user has permissions for, not just the one that the user is being authenticated for.

So the suggested way to fix that (as of last October) is to cross-reference this list of all permissions the user has with the list of all permissions the API that the user is authenticating for has.

So I need to know which API that is. Okay. Well I know the ID of that API within the rule because it’s in context.request.query.audience, so I could figure out how to get all permissions for that API ID, or I could filter the permissions by that API ID to avoid making another call to the Auth0 API.

Except if the rule is being run as a redirect-callback, then context.request.query.audience has been removed. So I’d have to add it back in as an additional query parameter when I call /continue. In order to do that, I’d have to put the API ID in the URL that I redirect to.

All that, or make an additional call to my API to ask it for the permissions that I’m giving it.

This seems like a lot of workaround and inefficiency just to tell the front-end the same exact permissions that are already available right there in the accessToken. Is there a simpler way? If not, why?

dan.woda · March 17, 2020, 9:37pm

Hi @dalec,

Thanks for starting a new thread with a thorough description of your situation. Can you link to me where you are seeing advice against checking the access token directly in your UI? I am curious about the use-case here as well. Are you planning on checking the user permission before your API call to avoid an ‘access denied’ response from your api?

Let me know,
Dan

dalec · March 17, 2020, 10:13pm

Thanks for responding @dan.woda . I’ve seen it in many places in the documentation and several community forum topics. Here’s the one i could find again the quickest:

and the auth0 client sdk doesn’t expose any way to read things from the access token, like it does for the id token.

Yes, I am planning on checking the user permission to hide/disable features the user doesn’t have permission to access (the API will deny those requests).

dan.woda · March 18, 2020, 7:47pm

@dalec,

Thanks for the follow up info. At this point, I don’t think anything has changed from the post you linked.

You could use a strategy that employs roles, something like this, otherwise you will need to get the permissions like you described. If you feel like there is a gap here, our product team would appreciate hearing more about it. If you can, please fill out a feedback ticket.

dan.woda · April 1, 2020, 11:47pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.