Auth0 Home Blog Docs

Add custom metadata to user_metadata to filter user's permission, is it right?



I’m confusing about what I’m doing. So I need to implement a Proxy Java Spring application which will allow users, managed by auth0 (either using Lock to register with email, password or authenticated from Google), to login (using this example:

As I cannot understand how auth0 can define the real custom scopes (i.e: from the Lock, it only shows: scope=openid) while I want to define something such as: myapplication_read, myapplication_write,…and when user login, auth0 will check the user’s permission (which ideally is set by me from management page) then if user does not have myapplication_write scope then the access token should only contain scope: [openid, myapplication_read].

However, I don’t know auth0 can do it, so I have to do like this. I added in each user’s metadata the scope property, e.g: a newly registered user will have empty user_metadata, but an admin user will have:


And I have to add a rule for this to add this user_metadata containing scopes property to Id token in JWT (I got an opaque access token when user login with Lock which is not JWT, so I cannot use it to decode).

function (user, context, callback) {
  var namespace = '';
  context.idToken[namespace + 'app_metadata'] = user.app_metadata;
  context.idToken[namespace + 'user_metadata'] = user.user_metadata;
  callback(null, user, context);

And when user logged in, he can use the id token to make a request to Proxy with curl like this

curl -L -H "Authorization: ID_TOKEN" "http://PROXY/endpoint?request=myapplication_write&a_request_to_internal_web_application_after_proxy"

and in the endpoint I add a Spring controller to parse the query string and check the ID_TOKEN which I decode the id token as it is base64 and check the scopes property to know user can have the permission as he wanted from the request parameter (myapplication_write) of above request.

And if the request value does not belong to scopes propery of the id token, I will just deny the request from the user. If it has the request value in scopes property, then I will foward to an internal web application which will process the request.

I don’t know I’m doing it correctly or I’m just making it wrongly?


There are some best practices for user data storage. According to those practices, permissions should be stored in app_metadata instead of user_metadata. Those practices are well documented here. Please walk through them.

For managing permissions, I would like to recommend you to make use of Autho Authorization Extension. Further details can be found here.