Auth0 Home Blog Docs

Authorize attribute

After returning from Auth0 authentication check my MVC end points are secured by [Authorize] attribute. Is it possible to extend this authorize attribute to perform other data driven checks? i.e. get the user id from the claim, and perform db sql queries to ensure the user has access to specific data?

Hi there @dyAuth0,

You can leverage the `/authorize end point to pull details on user based on the supplied scopes. Please let me know if this helps you in your quest.

I am sorry if my question was misleading. The ‘other’ authorization data will not be stored in Auth0 database, but a custom on premise database (i.e. what projects the user has access too etc.)

So I would technically use Auth0 for authentication but considering the remaining authorization needs to be done within the application based on sql data from an on-premise database. I think it may be too difficult/cumbersome to push all authorization to 3rd party Auth0 database. This would also allow us an easy transition to utilize Auth0 for primary authentication (getting userid, then using existing role/permission tables for this user)

Ideally, i was thinking i could extent the [Authorize] attribute to perform addition sql query based on userid to ensure only appropriate individuals have access.

Is this approach viable?

After talking with a senior engineer about this subject I was able to confirm that you wouldn’t be able to leverage authorize attribute in the query pursuit you are thinking. However you could use metadata to accomplish what you are looking to do. I have shared some documentation in regards to this front. Please let me know if you have any questions. Thanks!