Add custom metadata to user_metadata to filter user's permission, is it right?

b.phamhuu · August 30, 2017, 3:10pm

I’m confusing about what I’m doing. So I need to implement a Proxy Java Spring application which will allow users, managed by auth0 (either using Lock to register with email, password or authenticated from Google), to login (using this example: https://auth0.com/docs/quickstart/webapp/java-spring-mvc/01-login).

As I cannot understand how auth0 can define the real custom scopes (i.e: from the Lock, it only shows: scope=openid) while I want to define something such as: myapplication_read, myapplication_write,…and when user login, auth0 will check the user’s permission (which ideally is set by me from management page) then if user does not have myapplication_write scope then the access token should only contain scope: [openid, myapplication_read].

However, I don’t know auth0 can do it, so I have to do like this. I added in each user’s metadata the scope property, e.g: a newly registered user will have empty user_metadata, but an admin user will have:

{
  "scopes": 
    "myapplication_write"
  ]
}

And I have to add a rule for this to add this user_metadata containing scopes property to Id token in JWT (I got an opaque access token when user login with Lock which is not JWT, so I cannot use it to decode).

function (user, context, callback) {
  var namespace = 'https://yourdomainname.com/';
  context.idToken[namespace + 'app_metadata'] = user.app_metadata;
  context.idToken[namespace + 'user_metadata'] = user.user_metadata;
  callback(null, user, context);
}

And when user logged in, he can use the id token to make a request to Proxy with curl like this

curl -L -H "Authorization: ID_TOKEN" "http://PROXY/endpoint?request=myapplication_write&a_request_to_internal_web_application_after_proxy"

and in the endpoint I add a Spring controller to parse the query string and check the ID_TOKEN which I decode the id token as it is base64 and check the scopes property to know user can have the permission as he wanted from the request parameter (myapplication_write) of above request.

And if the request value does not belong to scopes propery of the id token, I will just deny the request from the user. If it has the request value in scopes property, then I will foward to an internal web application which will process the request.

I don’t know I’m doing it correctly or I’m just making it wrongly?

prakharkumar79 · August 31, 2017, 1:52pm

There are some best practices for user data storage. According to those practices, permissions should be stored in app_metadata instead of user_metadata. Those practices are well documented here. Please walk through them.

For managing permissions, I would like to recommend you to make use of Autho Authorization Extension. Further details can be found here.

Topic		Replies	Views
Unable to get user_metadata or app_metadata or any custom scope Help apis , application	0	311	February 24, 2024
Set scope based on user metadata Help roles , user-metadata , scope	2	6958	March 2, 2018
Add custom scopes in the access token ( Authorization code flow with OIDC provider) Help	9	24581	June 24, 2022
Custom rule to add user.app_metadata to accessToken does not trigger Help jwt , auth0 , rules	5	7727	January 8, 2024
app_metadata missing when getting a user JWT using auth0-java Help app_metadata , java , auth0-java	2	5402	March 2, 2018

Add custom metadata to user_metadata to filter user's permission, is it right?

Related Topics