Auth0 Home Blog Docs

Confused about RBAC authorization in node.js web-apps

Hello awesome community!

I may be pretty obtuse but I can’t seem to find an answer to my question neither in quickstarts and examples nor in Community and that puzzles me a lot, because it seems I’m doing something weird or in a wrong way.

I have a web application with a Node.js back-end service which both serves web pages and scripts AND acts as a REST API back-end (currently it’s literally one service but I want to split it later). I implemented authentication and cookie-based session stuff following this guide https://auth0.com/docs/quickstart/webapp/nodejs and it all works beautifully.
But now I want to add session/cookie-based RBAC authorization to my back-end to protect REST APIs with both a session and RBAC and I can’t seem to find an “elegant” way of extending this whole passport/session solution with getting and verifying the user roles which are stored in Auth0 back-end. Is there a way of “enriching” user profile or session meta with roles and what are the consequences of that or is that something I shouldn’t do and instead I should add Bearer authorization on top of current session authentication?

Hi there @endarkened, welcome to the Auth0 Community!

Can you explain a bit more what the implementation looks like with RBAC in a non-elegant way? The doc below that dives into the RBAC concepts seems to fit your use case with securing your API in a perfect way. I want to help so I could been missing where RBAC doesn’t resolve the issue, please share a bit more details so we can work together on this front. Thanks in advance!


Hi James, thanks for the pointers, but my question is not about RBAC itself, but about integration of it with my existing passport/session solution which described here https://auth0.com/docs/quickstart/webapp/nodejs

The examples for Core Authz imply that the application uses Bearer scheme to protect endpoints, as described for example here https://auth0.com/blog/authorization-series-pt-2-securing-http-apis-with-rbac-rules/ but that’s what I’m asking: I don’t need Bearer auth, I already have session check, so how would I get permissions from user profile and inject them into the session.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.