Altering Access Token Scope/Permissions Per Organization

Hello,

My Auth0 users belong to multiple organizations in a classic multi-tenant context. For that reason, I need to modify access tokens generated at authentication time (using Rules/Hooks/Actions if necessary) to inject the correct scope claim in the access token.

The reason I do not want to use custom claims is because I need to use AWS HTTP API JWT Authorizers to validate the token automatically and restrict access to the called API according to the scope of the token.

Any ideas?

Hi @calqulate,

Welcome back!

Can you give an example of the changes you’d like to make to the token? It’s typically not possible to changes claims like scope in the token via rules/hooks/actions/etc.

You can update the scopes directly in a rule.

Hello @dan.woda,

Yes, sure! As I said in my question, the end result of token usage would be its validation by an AWS JWT Authorizer. The way this is done is by checking the token’s scope claim against the required scope of the lambda function being called.

The problem is that for our use case, a given user does not always have the same scope assigned to them; instead, that depends upon the “entity” they’re trying to fetch the token for. Imagine you as a user logging into an application, choosing to look at the data for Entity A; in that case you are an Admin. However, you may switch (refetch a new JWT token from Auth0) at any moment to look at data from Entity B, where you are just a Viewer.

I hope it’s clearer.

You aren’t able to update the scopes claim directly, like I mentioned. It is set based on the permissions assigned to the user either directly, or indirectly via Role-Based Access Control. Is the entity the resource you are trying to access? If it is, you may want to seperate them into different APIs/audiences and assigned roles based on each one.

For example, you could create an Entity A API and an Entity B API within Auth0, and assign a user an Entity A - Admin role and an Entity B - Viewer role, and they would have the respective permissions if you were requesting a token with either audience.

Would that make sense?

Thank you Dan, but no, the Entity is a company. It’s a simple multi-tenant context. The API (resource) is the same, but the user access privilege to the same API differs per Entity. I hope it’s clearer.

@dan.woda any updates on this please?

Hi @calqulate, sorry for the delay.

Using Fake Co. as an example, you would have entityA.fakeco.com/api and entityB.fakeco.com/api. The token would have an audience for either entity, and scopes would be determined by which role the user is assigned for that audience.

Thank you @dan.woda but I think I’m unable to get my point across yet. Entity in our case is an organization. Users have a different role per organization. I can’t possibly create a different API audience per organization, can I? We have hundreds!

One more thing @dan.woda, reading here: Auth0 Configuration (SPAs + API), it seems it is indeed possible to alter the scope! Where am I confused exactly?

I was mistaken, you should be able to manipulate the scopes directly via a rule. Thanks for catching that, I’ll update my previous post.