Auth0 Home Blog Docs

Auth0 adding scopes for an API

scopes
access-token
tokens

#1

I’m adding my custom ASP.Net WebAPI to Auth0’s API configuration. It’s my understanding I can add scopes to my API inside Auth0. A scope is just a name like read:contacts. When a user to my client authenticates, I can request a set of scopes to be included in the subsequently generated access token. It’s my understanding that my custom ASP.Net WebAPI, which is expecting an access token, can then introspect the token for different scopes and affect functionality according to what scopes are available.

How do you manage scopes entered into Auth0 with how you address scopes inside your custom WebAPI? Is it simply a matter of deciding what scopes your WebAPI needs and making sure Auth0 is setup with the correct set of scopes?

Does this create a tight coupling between your WebAPI and Auth0 in terms of scopes? I can imagine that there could be other apps/services/what-have-ya that want to use your WebAPI but do not use Auth0.

What are the guidelines/best practices for handling scopes between your custom WebAPI and Auth0?


#2

In asp.net (.net core in my case) I create the Api Client as seen here https://community.auth0.com/answers/4752/view

and pass in scopes on various behaviours of my api wrapping methods:

e.g:

var scopes = new
                {
                    users = new
                    {
                        actions = new] { "read", "update" }
                    },
                    users_app_metadata = new
                    {
                        actions = new] { "read", "update" }
                    }
                };

                var client = GetClient(scopes);

                var user = await client.Users.GetAsync(id);

#3