I feel a bit stupid to open up this new topic, because I would assume that something like this must exist already. However, I’ve been looking into several other threads already and none of them seems to describe my problem correctly…
There are two things I want to do:
I created a basic web application (Python Flask) and implemented the Login and user management via Auth0. I was also able to assign roles to my users and to add these roles to the JWT ID Token using rules. Besides the role, I would also like to add the user permissions to the ID Token, but it appears like that is only possible for APIs, not for basic web apps. Why?
Separately from this web app, I have an API (Python FastAPI) that I would like to call from my web app. Again, the requests in this API should be restricted, depending on which user role is calling them. As far as I understood, one can easily add scopes and permissions to the API access token. However, this access token needs to look differently for each user, because every user has a different role and therefore different permissions. I could think of two possible ways:
When accessing the API, the user is sending its ID token and then my API uses this ID to send another request to the Auth0 backend to request the permissions this user has.
The JWT ID Token already carries the roles and permissions that this user has.
Anyway, I don’t know how to implement either of them, because I am missing a way to request the role permissions from the auth0 backend.
I hope I described this well enough & Thanks for Your help in advance,
Welcome to the Community! Thanks for sharing your topic.
When you create assign a role to a user via Auth0, it’s assumed that you are following Role-Based Access Control to manage permissions. This means that each role is assigned certain permissions instead of individual users. When a user is assigned a role, they are granted all of the permissions that were granted to the role.
Note: it is possible to assign permissions directly to users as documented here, but it is generally not recommended as it takes away from the benefits of the RBAC pattern.
Technically, you can add the user’s permission to the ID token if you’d prefer not to use RBAC. You can do this by adding the permission to the user’s app_metadata and then adding that as a custom claim just as you would for a role. But you may want to opt for sticking with roles for the ID Token/Access Token.
In OIDC, the consumer of the ID token is the web app and the consumer of the Access Token is the API. The ID token allows the web app to know that the user is logged in and provides some profile info about the user.
The API on the other hand is only concerned with the Access Token. You will not need to send the ID Token to the API at all. This is because OAuth2 uses bearer tokens for authorization. The API as the resource server can analyze the Access Token and know whether the user has permission to get the data they are requesting.
In this case, the API would be able to see the scopes issued in the Access Token and determine what can be returned to the web app.