Coarse-grained scope in ID token to fine-grained API permission

My API has a large number of fine-grained permissions.

Based on the Permissions, Privileges, and Scopes blog post and other references I understand that I do not want to include the entire list of permissions in the scope.

Ideally I would like to have coarse-grained “roles” - reader, writer, admin - in the scope, then somewhere map those roles to fine-grained permissions and include those in the access token.

What is the best practice around mapping coarse-grained roles to fine-grained permissions and validating an access token against an API call’s required permissions? Should the access token contained the list o fine-grained privileges? Or is this mapping handled outside of the authorization flow?

As Auth0 provides Roles that map to a set of Permissions it seems like I should be able to make use of that during the user login flow.


(For some reason - I asked here - I am unable to put relevant tags on my posts. This one needs rbac, roles, scope, permissions, …)

Hey @darrenk !

Generally speaking, regarding API authorization, the Auth0 Identity Provider will issue a JWT access token containing the scope claim. The scope claim content is the intersection of:
-scopes requested by the client application with the /authorize request by specifying the scope query parameter and
-the user’s assigned permissions within the IdP (assigned directly to the user, or using Roles). :slight_smile:

Your API performs a standard JWT access token validation and later checks the scope claim to see if it matches the permissions required for the endpoint being accessed. Take a look here: Validate Access Tokens.

These will have to be listed in the API settings in your Auth0 tenant:

The best practice for mapping is using Roles (Auth0 tenant → User Management → Roles).

The calling application should specify the scope needed. Auth0 IdP checks if the role assigned to the user covers the scopes requested. The scope claim returned in the access token should then be evaluated on the API side: does it contain all the permissions required to call the endpoint?

Does this clear the topic? Please let me know your thoughts or follow-up questions! :cowboy_hat_face:

1 Like

This does provide a lot more clarity.
Your response along with this answer has cleared up my confusion around scopes, roles, and permissions.

Thank you @marcelina.barycka

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.