I’d like to add social login, facebook and google, to my app via auth0. This is straight forward enough. However, I want to control who can login to my app with a google or facebook identity. i.e. I don’t want anyone with a google or facebook account to be able to access my app. I want them to be able t use Google or Facebook identities so they don’t have to create another identity for my app, but I want to limit who can access it.
Is that possible with auth0? If so, how do I do it? Do I add a rule?
I have 3 users jon@gmail.com, bob@gmail.com and fred@gmail.com. I want the 3 of then to access my app via auth0.com social login using their Google credentials. However I want ensure that only Jon, Bob and Fred can login. I don’t want anyone with a Google account to be able to access my app.
I believe I should create a rule. However I want to make it easy for me to add and remove users without having to edit a rule. It would be good I could just add gmail addresses to a database or just a file which the rule checks.
As for having a list of users somewhere, this is going to be a little bit of a gray area. It could be accomplished by adding a flag to the users’ metadata, by adding them to the rule manually, or by having the rule look at a dropbox file or another outside source. At the end of the day you will have to manually add the users somewhere, unless there is a pattern for the rule to follow.
With that being said…it sounds like you are dangerously close to RBAC. This certainly could solve the problem, and may be easier. It is kind of set up to do what you are requesting.
To summarize, you can accomplish with a number of different strategies. I would happy to walk through any of them with you if you need more help (rules are one of my favorite Auth0 features).
Thank you for your interest and advice, it is very much appreciated.
With regards to RBAC, where would I define the role as a claim in the jwt which I would translate into a granted authority in the application? Would the rule take the token from Google and add the claim if it meets certain criteria? E.g. email Address is xyz.gmail.com?
You can add the role directly to the user in the auth0 dashboard (google idp or otherwise), and then have the roles added to the token via a custom claim in a rule.
How you add roles is going to depend on scale. If you are setting up roles for a few admin here and there then managing it in the dashboard is easy. If you have a lot of users constantly needing roles added or removed and need to scale it then you’ll have to find a pattern to follow e.g. email domain or something tangible.