Confused about RBAC authorization in node.js web-apps

endarkened · January 19, 2020, 2:33am

Hello awesome community!

I may be pretty obtuse but I can’t seem to find an answer to my question neither in quickstarts and examples nor in Community and that puzzles me a lot, because it seems I’m doing something weird or in a wrong way.

I have a web application with a Node.js back-end service which both serves web pages and scripts AND acts as a REST API back-end (currently it’s literally one service but I want to split it later). I implemented authentication and cookie-based session stuff following this guide Auth0 Express SDK Quickstarts: Login and it all works beautifully.
But now I want to add session/cookie-based RBAC authorization to my back-end to protect REST APIs with both a session and RBAC and I can’t seem to find an “elegant” way of extending this whole passport/session solution with getting and verifying the user roles which are stored in Auth0 back-end. Is there a way of “enriching” user profile or session meta with roles and what are the consequences of that or is that something I shouldn’t do and instead I should add Bearer authorization on top of current session authentication?

James.Morrison · January 21, 2020, 6:02pm

Hi there @endarkened, welcome to the Auth0 Community!

endarkened:

I have a web application with a Node.js back-end service which both serves web pages and scripts AND acts as a REST API back-end (currently it’s literally one service but I want to split it later). I implemented authentication and cookie-based session stuff following this guide Auth0 Express SDK Quickstarts: Login and it all works beautifully.
But now I want to add session/cookie-based RBAC authorization to my back-end to protect REST APIs with both a session and RBAC and I can’t seem to find an “elegant” way of extending this whole passport/session solution with getting and verifying the user roles which are stored in Auth0 back-end. Is there a way of “enriching” user profile or session meta with roles and what are the consequences of that or is that something I shouldn’t do and instead I should add Bearer authorization on top of current session authentication?

Can you explain a bit more what the implementation looks like with RBAC in a non-elegant way? The doc below that dives into the RBAC concepts seems to fit your use case with securing your API in a perfect way. I want to help so I could been missing where RBAC doesn’t resolve the issue, please share a bit more details so we can work together on this front. Thanks in advance!

endarkened · January 24, 2020, 10:18pm

Hi James, thanks for the pointers, but my question is not about RBAC itself, but about integration of it with my existing passport/session solution which described here Auth0 Express SDK Quickstarts: Login

The examples for Core Authz imply that the application uses Bearer scheme to protect endpoints, as described for example here Role-Based Access Control but that’s what I’m asking: I don’t need Bearer auth, I already have session check, so how would I get permissions from user profile and inject them into the session.

James.Morrison · February 8, 2020, 2:18am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.