We are just getting started with oauth and auth0, so let us know if we are doing it wrong.
We have mulitple SPA clients using the same API to present data to our users in different ways. Let’s take the example of updating a booking, that only admins are allowed to do.
The client asks auth0 to authenticate the user, and requests an access_token with the API as the audience with the implicit flow.
As far as I understand scopes are used for validating that the user has given permission to the client to carry out an operation (manage-bookings) on his/her behalf.
We would like to use the authorization extension to include a user’s permissions into the access_token, so that the API can verify not only that the client was authorized to carry out an operation on the user’s behalf, but that the user is allowed make such a request (update-booking).
The problem is that it seems that the authorization extension only allows to create roles and permissions tied to a client, whereas we would need to create them for the API, otherwise we would need to duplicate them for each client that is accessing the API which is error-prone, and also makes me cringe that the client rules are telling the API what the user is allowed to do…
What is a good way to do this?