I feel a bit stupid to open up this new topic, because I would assume that something like this must exist already. However, I’ve been looking into several other threads already and none of them seems to describe my problem correctly…
There are two things I want to do:
I created a basic web application (Python Flask) and implemented the Login and user management via Auth0. I was also able to assign roles to my users and to add these roles to the JWT ID Token using rules. Besides the role, I would also like to add the user permissions to the ID Token, but it appears like that is only possible for APIs, not for basic web apps. Why?
Separately from this web app, I have an API (Python FastAPI) that I would like to call from my web app. Again, the requests in this API should be restricted, depending on which user role is calling them. As far as I understood, one can easily add scopes and permissions to the API access token. However, this access token needs to look differently for each user, because every user has a different role and therefore different permissions. I could think of two possible ways:
- When accessing the API, the user is sending its ID token and then my API uses this ID to send another request to the Auth0 backend to request the permissions this user has.
- The JWT ID Token already carries the roles and permissions that this user has.
Anyway, I don’t know how to implement either of them, because I am missing a way to request the role permissions from the auth0 backend.
I hope I described this well enough & Thanks for Your help in advance,