I’m starting a new project that seems perfect for Auth0. It’s an internal tool, so our user base will never grow that large, SSO would be super helpful and we’d save a ton of time not building the system out ourselves.
My only hesitation is that I can’t figure out what the best way to implement authorisation is. I’ve been pouring over the docs and as far as I can tell, there are 3 built-in options, and then the option to customise.
- Use the built in roles tool. This is behind a paywall, so if possible I’d like to avoid using it
- Use the authorisation extension. This seems like a good option, but it has more limited functionality (doesn’t support permissions for an individual user, they have to be assigned through roles)
- Use Scopes. I’m still unclear where the actual authorisation step happens here
Then it also seems possible to just implement our own authorisation server, but I’m unsure if this would mean a significant reduction in performance.
My question is, people who use Auth0 in production, how have you done Authorisation? It seems possible to just use scopes, but I’m still not entirely clear how these work. Do you need to also use either of the built in role-management tools or the Authorisation extension, or is there a way to restrict access without these tools? Has anyone delegated authorisation responsibility to their internal servers?