We have a simple frontend (Vue) and backend (.NET Core) app without further API integrations. We use Auth0 and Authorization Exenstion to manage users as well as groups/permissions. Via a rule we add a custom email claim as well as the AE permissions needed to the “scopes” claim so that the .NET backend can pick them up from the access token and use it for authorization. It works well.
We’re trying to make it possible for our customers to connect with their own ADs and have set up the basic enterprise connection to Azure AD, which also works. The user logs in with their enterprise email and get authenticated that way.
However, we’re not sure how to approach the scopes and permissions topic. In short, say that we have two custom permissions via Authorization Extension,
myapp:admin as random examples. How can we replicate those permissions in the integrated ADs, so that the permissions 1) can be assigned to the users by the AD admin (via groups probably) and 2) get attached to the
scope claim when the user has logged in?
We’ve experimented with the roles/groups/permissions passthrough options in AE, but the problem seems to be that while Azure AD supports custom roles, custom permissions seems to be another thing and maybe not what we’re looking for? In particular, I’d imagine the possibility to add a custom groups “MyApp Admins” with one or several custom permissions (
myapp:admin) from the example above but that does not seem to be possible.