Authorization Series — Pt 2: Securing HTTP APIs with RBAC rules

In this article, you will learn how you can leverage Auth0’s RBAC (Role-Based Access Control) feature to handle end-user authorization in your APIs.

Read on :raised_hands:

Brought to you by @bruno.krebs :man_technologist:t5:

Nice article, thanks! One question though: the application you use to demo the access control talks to multiple APIs (expense, invoice and vacation). As far as I understand it, this is not something the current SPA SDK (auth0-spa-js) supports, it only accepts a single string for the audience parameter. Would you mind sharing how you accomplished this functionality? And is auth0-spa-js going to get support for dealing with multiple APIs?

Hey there, @fnberta. Sorry for the delay. I didn’t do any magic, I simply rebuild the Auth0 client when the users of the hit the Save button after changing the configuration. That is, I talk to a single audience.

I will check regarding your last question and post you with updates here.

Hi @bruno.krebs, @ramiro,

found this article very useful but I cannot find the group support in my Auth0 tenant. Are groups now supported by Auth0? If not, are they still part of your roadmap and what is the ETA?

Thank you,

1 Like

Howdy, Eva. Thank you for reading the blog post. We are glad that you liked it. Let me research your question and find out what’s the status of groups.

Hi Eva,

Groups is no longer in beta, we’re evaluating feedback from the beta program and have aligned it with another Authorization feature that we’re working on. We expect Groups to be available again in Q2 of 2021. I’d be interested to know what problem you’d like to use Groups to solve and will reach out via DM.




Thanks for the headsup Adam!

1 Like

Hello Adam,

thank you for getting back to me so quickly. We are already using Auth0 as our authentication provider and are currently exploring the use of Auth0 Groups feature for authorization purposes.

Where we can see Auth0 Group support being potentially useful is if we could use groups without policies - roles. That is, if we can publish user-group memberships to Auth0 without publishing policy definitions and group-policy assignments and have users’ group memberships included in authN token.

This would give us a mechanism for supplying group-membership information to resources/services with each request, potentially eliminating the need to perform user-group lookups during authZ checks.

We plan to handle policy definitions and assignments on our end because we require fine grained ABAC.

Also would there be limits to how many groups could be defined in the Auth0 tenant?

Thank you for your help.

Kind regards,


1 Like

Hi Eva,

At such a time as we release groups there will be entity limits that will differ based on subscription plan. The exact ways in which the groups that an authenticated user belongs to will be exposed to your application is still being defined, but this will be possible. In the meantime, there are options that you can explore involving extensibility – perhaps using user metadata, or using roles and then including role names in the ID token via a rule, for example.

Hope this helps – if you’d like to discuss your use-case further please send me a DM and we can set up time chat as our team begins to solidify our plans for how the groups features will be exposed.




Thanks for expanding on that Adam!