Can you use your own Authorization Solution with Auth0 API

Hey all,

We’re trying to decide if we want to use Auth0 interally, and we could definitely benefit from the authentication options the API gives us, but I’m wondering if it’s possible to use your own, custom Authorization method on top of the Auth0 Authentication.

It seems like it could be possible to add rules to do this. Based on this simple example it seems at least possible to restrict access based on simple parameters, but ideally we would like to call an internal authorization API from the rule and then use that result to restrict or allow access. Is that possible and/or efficient? Has anyone else tried it?

The reason I ask about custom authorization over Auth0 Supported options is because this post states that to use the Authorization Extension you need to be on the Developer Pro plan.

Hello @swilks,

The new core authorization feature might be useful if you need API authorization.

You can certainly call out to an external service if you need something else. E.g. Gartner has a 3-tier role model that is interesting, especially for more complex environments, but would require middleware (an API) outside Auth0 to implement. You would need to test the performance of such a solution to see if it will work for you.

Another option might be: use Auth0 rules for coarse grained authorization (“Is the user allowed to access this app / API?” … "app_metadata": { "authorized_applications": [ "app1", "app2" ] }) and then have your apps / APIs query an authorization API directly for fine-grained access control data.