Authorization Core for applications?

Alsyia · August 27, 2019, 2:20pm

Hi everybody,

I spent some time reading the doc about the new Authorization Core feature, but I could not find an answer to my question: can I use Authorization Core for applications?

With the Extension I can define some permissions tied to an app, put them in a role, and assign this role to a user. Whenever the user logs in (I’m using Authorization Code flow), my app will receive a token containing those permissions (if I configured a rule to insert them) or I can fetch them from the user profile.

Now with Core, my understanding is that a user requests a token for an API, and the resulting token will have the permissions. Can I use Core to set permissions/roles for a user, and then access them from my application? Does it even make sense since my application is, by definition, an application and not an API?
And if it’s not possible, what is the standard way to manage permissions for an application? (I guess that since Core is meant to replace Extension entirely, it must be possible to do that?)

Also, what does the “Enable RBAC” button on an API do?

Apologies for the imprecision, it has been a long time since I implemented Auth0 on my projects…

Thank you!

dan.woda · August 28, 2019, 5:15pm

Hi @Alsyia,

Welcome to the Auth0 Community!

In short, yes!

Yes, you can add this info to a token (you will likely want to add them to the id token for you app, but you can add to access as well, although the access token is more intended for api authorization). Depending on whether you want to add a role or a permission, or both.

Take a look at these resources:

This turns on/off the RBAC settings you have configured for the particular api.

Let me know if this helps,
Dan

Edit: removed FAQ

Alsyia · August 29, 2019, 9:41am

It helps a lot, thanks you! I can see how I would access somebody’s permissions now. Although I guess it still means I need an API somewhere managing those permissions. I’m definitely going to take a look at those rules!

Concerning the Enable RBAC option, I understand it turns on/off RBAC, but what does it mean exactly? I was under the assumption that checking Add Permissions in the Access Token was necessary for permissions to be added in the access token. Checking Enable RBAC alone didn’t seem to do anything

Thank you very much for this detailed answer!

Topic		Replies	Views
Use of roles/permissions without using custom APIs Get Help	7	2496	August 13, 2021
Do you need to use the Authorization Extension with the Core Authorization Library Get Help	10	7021	September 2, 2019
How exactly Rest API Authorization works using Core Authorization Library Get Help api , authorization	7	3753	June 1, 2019
RBAC and Plans and which method Get Help react , rbac	2	3330	May 20, 2021
Auth0 Core roles and permissions not in access token Get Help	4	5246	January 28, 2021

Authorization Core for applications?

Related topics