I’m confusing about what I’m doing. So I need to implement a Proxy Java Spring application which will allow users, managed by auth0 (either using Lock to register with email, password or authenticated from Google), to login (using this example: https://auth0.com/docs/quickstart/webapp/java-spring-mvc/01-login).
As I cannot understand how auth0 can define the real custom scopes (i.e: from the Lock, it only shows: scope=openid) while I want to define something such as: myapplication_read, myapplication_write,…and when user login, auth0 will check the user’s permission (which ideally is set by me from management page) then if user does not have myapplication_write scope then the access token should only contain scope: [openid, myapplication_read].
However, I don’t know auth0 can do it, so I have to do like this. I added in each user’s metadata the scope property, e.g: a newly registered user will have empty user_metadata, but an admin user will have:
{
"scopes":
"myapplication_write"
]
}
And I have to add a rule for this to add this user_metadata containing scopes property to Id token in JWT (I got an opaque access token when user login with Lock which is not JWT, so I cannot use it to decode).
function (user, context, callback) {
var namespace = 'https://yourdomainname.com/';
context.idToken[namespace + 'app_metadata'] = user.app_metadata;
context.idToken[namespace + 'user_metadata'] = user.user_metadata;
callback(null, user, context);
}
And when user logged in, he can use the id token to make a request to Proxy with curl like this
curl -L -H "Authorization: ID_TOKEN" "http://PROXY/endpoint?request=myapplication_write&a_request_to_internal_web_application_after_proxy"
and in the endpoint I add a Spring controller to parse the query string and check the ID_TOKEN which I decode the id token as it is base64 and check the scopes property to know user can have the permission as he wanted from the request parameter (myapplication_write) of above request.
And if the request value does not belong to scopes propery of the id token, I will just deny the request from the user. If it has the request value in scopes property, then I will foward to an internal web application which will process the request.
I don’t know I’m doing it correctly or I’m just making it wrongly?