Hello awesome community!
I may be pretty obtuse but I can’t seem to find an answer to my question neither in quickstarts and examples nor in Community and that puzzles me a lot, because it seems I’m doing something weird or in a wrong way.
I have a web application with a Node.js back-end service which both serves web pages and scripts AND acts as a REST API back-end (currently it’s literally one service but I want to split it later). I implemented authentication and cookie-based session stuff following this guide Auth0 Express SDK Quickstarts: Login and it all works beautifully.
But now I want to add session/cookie-based RBAC authorization to my back-end to protect REST APIs with both a session and RBAC and I can’t seem to find an “elegant” way of extending this whole passport/session solution with getting and verifying the user roles which are stored in Auth0 back-end. Is there a way of “enriching” user profile or session meta with roles and what are the consequences of that or is that something I shouldn’t do and instead I should add Bearer authorization on top of current session authentication?