Hi Everyone,
I have an Express server and an Azure function app (can be treated as a separate server) running and I need for the Azure app to be able to authenticate any API requests it makes to the express server. I’ve set this up with an API that has an authorized Machine to Machine application setup on the Auth0 and I generate a token for my Azure app using the client-credentials grant (using the Client ID + secret). This is working at this point in time.
I also have user’s who are able to login to the site served by the Express server. They use the Auth0Lock library to authenticate against the same API as the one used for the client-credential grant. This is also working.
I now have an additional requirement to restrict access to certain APIs on my Express server to certain user roles/groups. To do this, I created a new rule which adds a custom claim to the access_token with a role from that user’s app_metadata based on what I found in Access Tokens
This rule doesn’t work on the client-credential grant but following Customize Tokens Using Hooks with Client Credentials Flow I created a hook for my client credentials which can add a role here.
The problem I have with this is that this hook appears to add the role to every client-credential grant, not just the ones from the client I want. I am considering adding a the client ID of the application I want as a secret and comparing it against given by client.id
argument.
My questions are as follows:
1.) Is the above idea secure? Would comparing any of client.tenant
, audience
, context.body.client_secret
be required and/or sufficient?
2.) More generally, is this the proper way to go about authentication/authorizing users? I’m new to using Auth0 and security in general but we’re prepared to remove the current system and rebuild if there is a better way to go about this.