Hi there, we are having performance issues using RBAC as our means of managing authentication within our application.
For a bit of context, we are currently using the core RBAC roles/permissions provided by auth0 for our application. Since currently the core does not provide a concept of ‘groups’ unlike the authorization extension, we manage this ourselves by storing an ‘organizationId’ on a users app_metadata, which works just fine.
In our application, we display a list of users and their roles. To accomplish this, we first call the management API and call the GET /api/v2/users endpoint, where we also specify app_metadata.organizationId:${organizationId}
as a query search param using the search engine to make sure we only get users for the organizationId in their app_metadata. This has worked fine. Unfortunately, each user does not come with their ‘roles’ on this response, which is not ideal and I don’t quite understand why this isn’t attached to the response, as I feel it’s probably a very common use case to want to know each users roles.
Nonetheless, to work around this, for each user we call GET /api/v2/users/{id}/roles to get their roles and merge these two objects. This is incredibly inefficient as we have to make an individual request for each user. This was okay in the early stages of building our application, but now that our user base has grown, this will not scale (e.g. If I have 1000 users, 1000 individual requests will take an astronomical amount of time to complete and is clearly not good enough from a user experience point of view).
We have also thought about first fetching users on each role by calling GET /api/v2/roles/{id}/users, since the number of roles is far lower in our application, meaning the number of requests sent out would be far lower. The problem with this is that there is no way to specify a search engine query syntax to only get users for a particular organization. This would mean if we had multiple organizations, it will get all users for the specified roles across all organizations, which again, is not scalable.
Another idea was to attach the roles to the app_metadata/user_metadata inside a rule since this will come back in the response for each user. The problem with this, is it does not get updated until a user logs in again, as rules only trigger when a user logs in. Our application provides a way to update roles, but it will not be able to subsequently display their newly assigned role after an update because their user_metadata/app_metadata will not be updated until they re-login and trigger the rule.
Could someone explain to me why roles are not attached to each user object or if there is a way to make a batch call to get roles for a list of users rather than one at a time? I don’t see any way to make this performant enough with the currently provided API.
Regards, Sebastian