My Auth0 users belong to multiple organizations in a classic multi-tenant context. For that reason, I need to modify access tokens generated at authentication time (using Rules/Hooks/Actions if necessary) to inject the correct scope claim in the access token.
The reason I do not want to use custom claims is because I need to use AWS HTTP API JWT Authorizers to validate the token automatically and restrict access to the called API according to the scope of the token.
Yes, sure! As I said in my question, the end result of token usage would be its validation by an AWS JWT Authorizer. The way this is done is by checking the token’s scope claim against the required scope of the lambda function being called.
The problem is that for our use case, a given user does not always have the same scope assigned to them; instead, that depends upon the “entity” they’re trying to fetch the token for. Imagine you as a user logging into an application, choosing to look at the data for Entity A; in that case you are an Admin. However, you may switch (refetch a new JWT token from Auth0) at any moment to look at data from Entity B, where you are just a Viewer.
You aren’t able to update the scopes claim directly, like I mentioned. It is set based on the permissions assigned to the user either directly, or indirectly via Role-Based Access Control. Is the entity the resource you are trying to access? If it is, you may want to seperate them into different APIs/audiences and assigned roles based on each one.
For example, you could create an Entity A API and an Entity B API within Auth0, and assign a user an Entity A - Admin role and an Entity B - Viewer role, and they would have the respective permissions if you were requesting a token with either audience.
Thank you Dan, but no, the Entity is a company. It’s a simple multi-tenant context. The API (resource) is the same, but the user access privilege to the same API differs per Entity. I hope it’s clearer.
Using Fake Co. as an example, you would have entityA.fakeco.com/api and entityB.fakeco.com/api. The token would have an audience for either entity, and scopes would be determined by which role the user is assigned for that audience.
Thank you @dan.woda but I think I’m unable to get my point across yet. Entity in our case is an organization. Users have a different role per organization. I can’t possibly create a different API audience per organization, can I? We have hundreds!