App metadata for authorization?

mireecek · September 23, 2019, 8:05pm

I am developing a Ruby (api backend) + Nuxt (frontend) application and thinking what would be the best approach for authorization.

Should I use app_metadata to store a json similar to the following code or build that functionality in application itself? I need to grant permission/role to a user or group on resource level. E.g. one user can have write permission in project A, but only read for project B etc.

"organizations": [
{
    "id": "1",
    "key": "my-org",
    "roles": {
      "organizations": [
        {
          "id": "1",
          "key": "my-org",
          "role": "Organization Admin"
        },
        {
          "id": "2",
          "key": "my-project",
          "role": "Project User"
        }
      ],
      "projects": [
        {
          "id": "1",
          "key": "my-project",
          "role": "Project Admin"
        },
        {
          "id": "2",
          "key": "my-project",
          "role": "Project User"
        }
      ]
    }
}

]

JayKiller · September 23, 2019, 8:14pm

What are you trying to accomplish?

mireecek · September 24, 2019, 7:33pm

I need to build permission management within the application and am wondering if app_metadata in auth0 could be used for storing that information. I know there is a way to define permission like create:projects, edit:projects etc, but I need to define this on object level (not globally). As I mentioned above, typical scenarios I need to deal with are:
User A has read permission to Project 1, but write permission to Project 2. User B has write permission to project 1, but read permission to project 2… etc. Same applies on API layer: User A has permission to call POST /projects/1/ (attributes to change) and GET /projects/2/…

JayKiller · September 24, 2019, 8:36pm

You can setup the rule for the permission so that user A is not able to access project B.

user B is not able to access Project A.

That shouldn’t be too hard