Dynamic scopes: parameterized

quentin.boulanger · August 9, 2023, 2:46pm

Hi,

Based on ChatGPT and other forum questions / answers I came to a potential solution. Please can you take the time, @konrad.sopala, @rueben.tiow, @dan.woda or anyone else, to confirm or correct this solution ?

Add the role of the user for each space in the app_metadata. (using the Management API called from my app API). Here is my code:

import {ManagementClient} from "auth0";
import {AuthConfig} from "../configs/auth.config";

const authManagementAPI: ManagementClient = new ManagementClient({
    domain: AuthConfig.domain,
    clientId: AuthConfig.clientId,
    clientSecret: AuthConfig.clientSecret,
    audience: AuthConfig.audience,
    scope: '...',
});

await authManagementAPI.updateUser({id: authSub}, {app_metadata: {["spaces/" + spaceAlias]: {spaceId: spaceId, role:"admin", userId: null}}});

In my frontend app (react), I use in the Auth0 Provider a custom parameter called “spaceAlias”, that i also use in my “getAccessTokenSilently” calls:

   <Auth0Provider
      domain={domain}
      clientId={clientId}
      authorizationParams={{
        redirect_uri: redirectUri,
        audience: AuthConfig.audience,
        scope: AuthConfig.scopes,
        spaceAlias: "my-room-alias"

      }}
      onRedirectCallback={onRedirectCallback}
      cacheLocation="localstorage"
    >

Add a flow action that add the desired parameterized scopes to each access token based on the app-metadata, and the queried spaceAlias. (From what I saw (Manipulate scopes for ID and Access Tokens using Actions GA), it’s not possible in actions to add parameterized scopes, which is sad… and hopefully it will be changed, as of now, is it safe then to add the parameterized scopes to a custom claim ? ).

exports.onExecutePostLogin = async (event, api) => {
    const spaceAlias = event.request.query.spaceAlias;

    if(spaceAlias){
        const spaceMetadata = event.user.app_metadata[`spaces/${spaceAlias}`]
        if(spaceMetadata && spaceMetadata.role && spaceMetadata.spaceId){

            // later: fetch from permissions api
            const scopesPermissions = {
                "member" : (spaceId)=> `add:comments-in-${spaceId} request:changes-in-${spaceId}`,
                "admin" : (spaceId)=> `add:comments-in-${spaceId} make:changes-in-${spaceId} delete:comments-in-${spaceId}`,
            }
            
            const customScopes = scopesPermissions[spaceMetadata.role](spaceMetadata.spaceId);
            api.accessToken.setCustomClaim(`https://my-apis/customScopes`, customScopes);
        }
    }

};

In my api, i cannot use requiredScopes(“add:comments-in-550e8400-e29b-41d4-a716-446655440000”) as my custom scopes are not in scopes, so I made my own “requiredCustomScopes” function.

This solution has several limitations as, for instance, I do not benefit from all the scopes advantages, but is there any better solution ? And if not, is my solution still safe ?

Thank you for your time and hopefully this response will help others …