Could you help me with the following. Currently our application (.NET Core API) is protected by using [Authorize("myscope")].
A small number of the users defined in our Auth0 tenant have a custom role, Manager.
Would it be possible to conditionally add this scope myscope to the user’s token only if the user has this role? Would this even be a secure solution or do we need to add the role to the token and check that in the application?
Yes, it is possible to conditionally add any scope you want to the user’s access token.
To do so, you’ll need to use Auth0 Rules and use the context.authorization.roles object to determine if your user matches the Manager role and then modify the context.accessToken.scope object to add your custom scopes.
Doing so will allow you to add scopes to the user’s access token conditionally.