Auth0 Home Blog Docs

Authorization Core for applications?

Hi everybody,

I spent some time reading the doc about the new Authorization Core feature, but I could not find an answer to my question: can I use Authorization Core for applications?

With the Extension I can define some permissions tied to an app, put them in a role, and assign this role to a user. Whenever the user logs in (I’m using Authorization Code flow), my app will receive a token containing those permissions (if I configured a rule to insert them) or I can fetch them from the user profile.

Now with Core, my understanding is that a user requests a token for an API, and the resulting token will have the permissions. Can I use Core to set permissions/roles for a user, and then access them from my application? Does it even make sense since my application is, by definition, an application and not an API?
And if it’s not possible, what is the standard way to manage permissions for an application? (I guess that since Core is meant to replace Extension entirely, it must be possible to do that?)

Also, what does the “Enable RBAC” button on an API do?

Apologies for the imprecision, it has been a long time since I implemented Auth0 on my projects…

Thank you! :slight_smile:

Hi @Alsyia,

Welcome to the Auth0 Community!

In short, yes!

Yes, you can add this info to a token (you will likely want to add them to the id token for you app, but you can add to access as well, although the access token is more intended for api authorization). Depending on whether you want to add a role or a permission, or both.

Take a look at these resources:

This turns on/off the RBAC settings you have configured for the particular api.

Let me know if this helps,
Dan

It helps a lot, thanks you! I can see how I would access somebody’s permissions now. Although I guess it still means I need an API somewhere managing those permissions. I’m definitely going to take a look at those rules!

Concerning the Enable RBAC option, I understand it turns on/off RBAC, but what does it mean exactly? I was under the assumption that checking Add Permissions in the Access Token was necessary for permissions to be added in the access token. Checking Enable RBAC alone didn’t seem to do anything :thinking:

Thank you very much for this detailed answer! :smiley:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.