Is it considered bad practice in terms of OAuth2 specification to add roles/permissions in ID token?
Hi @ahmed.mekliov,
Welcome to the Auth0 Community!
Yes, because the ID token holds information related to the user’s identity, as opposed to an access token, which contains information about a user’s access to protected resources.
This often includes roles and permissions that define the extent of the user’s access to these resources. For example, an Admin role might have CRUD (Create, Read, Update, Delete) permissions, whereas an end-user role might be limited to read-only permissions.
Given that, it’s considered best practice to store roles and permissions in the access token rather than the ID token.
Let me know if you have any additional questions.
Cheers,
Rueben
Hi @rueben.tiow ,
My question is related to a broader topic that we are currently facing. We need to get the permission/roles in FE in order to be able to show/hide different elements. Since the access token is not meant to be used in FE and it is considered bad practice to store the roles in ID token as well I was wondering what would be the best solution for situation like ours.
Regards,
Ahmed
Hi @ahmed.mekliov,
Thanks for the reply.
You should be able to use the access token on your front-end application.
Hey, @rueben.tiow
Yes, that is true, but is it considered a safe practice, since the access token issued for the resource owners and the FE is just a sending them to BE where the whole validation of the token and checking for the permissions is triggered. And according to OAuth specifications : An access token is used by a client to access a resource. And since there are no resources on FE I didn’t considered access token as valid option initially. What do you think?
Regards,
Ahmed
Hi @ahmed.mekliov,
This is true if you are accessing a protected resource. The FE is issued an access token from the BE after validating login credentials. The access token will contain permissions defined by scopes
and are used to determine if the user is allowed to access the resource.
Let me mention that you are not prohibited from adding permissions to the ID token, but as we discussed, it’s not ideal if you intend to use them to show/hide different types of data.
Thanks,
Rueben
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.