I have a route for example the Settings page that should only be accessed by Super Admins that have the required permissions (for example read:settings). So it is a route that not only requires an authenticated user but also one that has the appropriate permission.
I am thinking I need to augment the PrivateRoute component to have an additional permissions check for the Settings page and redirect to a Not Authorized page if the user doesn’t have the required permissions. I have confirmed that the permissions array is being returned but it isn’t clear to me how I would access this array.
Not sure about the React specific part, but just note that access tokens are by design not meant to be parsed by the client, they’re only meant for the backend / resource server (the audience for which it has been issued). If the permissions are needed in the client, then that should be a separate API call, or it could be added to the ID token (which is explicitly meant for the client to be used) via custom claims through the Auth0 Rules. The permissions can be read within a rule through the Management API.
I do need to access the permissions on the client to know whether to allow the user to access a protected page (a page that requires a certain permission over and above being authenticated). Once I turned on “Enable RBAC” and “Add Permissions in the Access Token” in the configuration settings for my logical API and also specify this API in the “audience” parameter of the Auth0Provider react component the permission array is passed back along with the access token.
Note that the permissions array does not come back with the ID token as you mentioned but rather with the access token.
I can get a reference to the Auth0Client instance from inside my react component and I do see that the token gets cached within it.
@ryantomaselli Understood, so you would need to add it as custom claims into the ID token via Rules, as per my previous answer. Are the links provided sufficient to get it to work?
In the Management console (at Auth0 Management API v2) when I plug in the user_id and add in defaults for the other fields (just to be sure) I’m getting the following response and unclear why:
Oh I see now “that rules will also have access to several modules defined globally, including auth0” so should be able to call getUserPermissions inside the rule.
function (user, context, callback) {
var ManagementClient = require('auth0@2.17.0').ManagementClient;
var management = new ManagementClient({
token: auth0.accessToken,
domain: auth0.domain
});
// example params taken from docs page, adjust as needed
var params = { id: user.user_id, page: 0, per_page: 50, sort: 'date:-1', include_totals: true };
management.getUserPermissions(params, function (err, logs) {
if (err) {
// Handle error.
}
console.log(logs);
});
}
Update/edit: one thing to note is that this rule would call the management API on every authentication request (this might lead to rate-limit issues). A way to optimize it would be to pre-calculate a user’s permissions and store it in the user’s app_metadata. The updating could be triggered by the Auth0 Authentication API Webhooks, listening to the respective events.