I’ve created a test environment and enabled the Authz add on. Created my roles & permissions and assigned them to a user.
I also created an AWS Serverless Lambda function and deployed it using the example code.
I’ve then run up the local developer test Angular SPA and logged in.
So I then post the auth token to my API and can verify that the Public, Private and Scoped endpoints are accessible… (with the correct permissions etc)
If I remove the permission in the Auth0 console and then wait a while (like an hour) I can still access the and point with the “read:messages” protection AFTER my user has no longer got that permission.
So, my question is, how is AWS supposed to be contacting Auth0 to verify the token still has the correct permissions, and from my somewhat bewildered stand point, I’m not seeing that AWS is even verifying that the token is valid. Is it doing this ?
What have I missed ?
Its really not sufficient to pass along a token with a permission claim and have AWS just assume that its valid. Surely the circle needs to be closed but I’m not seeing how its doing that.
Given that a token is generated and AWS can then read it, what is stopping this token being spoofed with a permission and thereby having your endpoint functions compromised ?
I’m sure I’m missing a trick somewhere - but what…?
This whole setup is really cool and the more I use it the more I’m enjoying t, but there’s just sooooooo much to read and the APP/API/Tenant stuff is overwhelming right now.
A really useful guide would be an Angular SPA, a C# .NETCore2 WebAPI and a pre-configured Auth0 app etc… for someone to easily get up and running. This has to be a fairly common scenario these days.
Someone please explain and break it down, I’ve spendt most of the weekend reading guides and tutorials on this site and AWS. The AWS stuff is super complex too.
Can anyone recommend a video (pluralsight, youtube etc) ?
Thanks - Paul.