I have a front end web client which is split into different sections. Some sections available to admin, some available to senior managers etc.
I also have data which is visible to supervisors but redacted for more junior staff.
I have set up two APIs one which give access rights to the various sections
The other that gives viewing rights to certain types of data
I then create roles such as administrator which have a number of these rights (both access and data) assigned to them.
I imagined that I would then have a user login and have details of what claims they have to access the front end and the data in a JWT which would be signed so it could be verified by the relevant APIS.
However I don’t think my understanding is correct. How should I be using Auth0 in this paradigm.
I appreciate this is a long winded question, but roles seem to be a bolt onto the product, and I am not sure of the best way to proceed.
Your understanding sounds about right to me! There are lots of resources available that go over role-based access control (RBAC) in detail, some of which I’ll add below. Each API you register in Auth0 has an option to “include permissions in access token” - This will automatically include permissions the user has been assigned via a Role as a claim in their access token. There are many libraries/SDKS to achieve this, but at a high level your client application should include the access token as a header in all requests to your API. Your API at this point will validate/verify the access token and subsequently check for specific permissions (Admin, junior, etc.).