TL;DR: is Auth0 ever planning to properly support the concept of Groups in Authorization Core?
Background: like many others, my company is stuck on the legacy and always-threatening-to-be-deprecated Authorization Extension. We’re working to transition to Authorization Core for myriad reasons (like Terraform-ability). However - Authorization Core does not support groups as the Extension does. This is a huge, huge feature miss. I’ve read countless posts on this community forum over the course of several years with people asking this same question - will Auth Core ever support Groups? All the responses reference a product roadmap, and bring up Organizations so as to suggest Organizations serving as a viable alternative to Groups. They are not.
Can anyone at Auth0 speak to a concrete timeline on Groups being added to Authorization Core?
Unfortunately, the Authorization Core does not yet support groups, as mentioned in this documentation.
However, I found an existing Product Feedback request asking to support groups in the Authorization Core, which I strongly recommend upvoting so that we can prioritize implementation based on the highest votes:
For now, if you still require using Groups, you could continue using the Authorization Extension. As for its deprecation, we currently don’t have a concrete date on when this feature will stop working, but when that happens, we will make an announcement about it.
@rueben.tiow thanks for the reply. Seeing as that Product Feedback request is from 2022, I’m not optimistic (but did go and upvote it, per your suggestion).
Seems like we’re stuck in purgatory here where Auth Core is the desirable and preferred solution, but the Auth Extension is the only thing that properly supports groups.
Auth0’s documentation on the Migrate To Authorization Extension V2 page (I’d post a link but the platform disallows it) is very misleading. Your documentation reads this:
Auth0 provides two ways to implement role-based access control (RBAC), which you can use in place of or in combination with your API’s own internal access control system:
Authorization Core
Authorization Extension
The Authorization Core feature set matches the functionality of the Authorization Extension, improves performance and scalability, and provides a more flexible RBAC system than the Authorization Extension.
Currently, both implement the key features of RBAC and allow you to restrict the custom scopes defined for an API to those that have been assigned to the user as permissions.
Specifically, saying “The Authorization core feature set matches the functionality of the Authorization Extension” is flat out false - it very much does not match. Reading that leads to a lot of wasted time trying to find the “missing” documentation and thinking the features must match when they don’t.
Please update your docs to provide full transparency on the fact that Auth0 shipped “Auth Core” without the critical elements of Groups.