Granting access to all for users with a specific email domain

Hello,

I’m new to Auth0 and trying to setup a development environment that takes users with an email domain of “@example.com” and grants them access to every API with every permission. The example email would be that of my organization. Any help would be greatly appreciated.

Hi @marbaez,

Thanks for joining the Community!

To achieve this, you could enable RBAC for your API, and then create a role that has all of the permissions. You could then use a rule to automatically assign this role to users who have the verified email domain:

function (user, context, callback) {
  const ManagementClient = require('auth0@2.34.2').ManagementClient;

  const management = new ManagementClient({
    token: auth0.accessToken,
    domain: auth0.domain
  });

  const assignedRoles = (context.authorization || {}).roles;
  const superRoleName = 'superRole';
  const superDomain = 'example.com';
  const emailSplit = user.email.split('@');
  const superUser = user.email_verified && emailSplit[1].toLowerCase() === superDomain;

  if (!superUser || assignedRoles.includes(superRoleName)) {
    // Either the user does not have the domain or they already have the role assigned
    return callback(null, user, context);
  }

  const superRoleId = "rol_ABC123";
  const params =  { id : user.user_id };
  const data = { "roles" : [superRoleId] };

  management.users.assignRoles(params, data, function (err, user) {
    if (err) {
      // Handle error.
      console.log(err);
    }
    console.log("success - role assigned");
    return callback(null, user, context);
  });
}

Thank you @stephanie.chamblee for the guidance! Is there a way to do this with scopes to not expose the role type? This is a specific request from my client.

No problem!

To clarify, the code above would run in a rule which would not be exposed to the browser.

I don’t believe the role type should be exposed with this rule in place. Is there a particular place you are seeing it with this implementation?

Thanks!

Not that we can see at the moment. Though, we are trying to avoid creating the role type entirely out of an abundance of caution.

I see, that makes sense! You can add individual permissions instead using the Management API Client:

https://auth0.github.io/node-auth0/module-management.ManagementClient.html#assignPermissionsToUser

var parms =  { id : 'USER_ID'};
var data = { "permissions" : [{"permission_name" :"do:something" ,"resource_server_identifier" :"test123" }]};

management.assignPermissionsToUser(params, data, function (err) {
  if (err) {
    // Handle error.
  }

  // User assigned permissions.
});

This looks great! Thank you for your help @stephanie.chamblee !

1 Like

@stephanie.chamblee in testing the following rule, I’ve found that it does not assign the permission to the user. Is there something I am missing?

function (user, context, callback) {
const ManagementClient = require('auth0@2.34.2').ManagementClient;

const management = new ManagementClient({
 token: auth0.accessToken,
 domain: auth0.domain
});

const superDomain = 'example.com';
const emailSplit = user.email.split('@');
const superUser = user.email_verified && emailSplit[1].toLowerCase() === superDomain;

if (!superUser) {
 // Either the user does not have the domain or they already have the role assigned
 return callback(null, user, context);
}

const params =  { id : user.user_id };
var data = { "permissions" : [{"permission_name" :"do:something" ,"resource_server_identifier" :"test123" }]};

management.assignPermissionsToUser(params, data, function (err) {
  if (err) {
    // Handle error.
    console.log(err);
  }
  console.log("success - role assigned");
  return callback(null, user, context);
});

}

Hi @marbaez,

I just tested your rule in my own tenant using my own domain/permission settings, and it looks like it is working as expected.

To help troubleshoot what might be going wrong, you can install the “Real-time Webtask Logs” and watch some logs during a login flow:

function (user, context, callback) {
const ManagementClient = require('auth0@2.34.2').ManagementClient;

const management = new ManagementClient({
 token: auth0.accessToken,
 domain: auth0.domain
});

console.log(`user email: ${user.email}`);
console.log(`user email address has been verified: ${user.email_verified}`);

const superDomain = 'example.com';
const emailSplit = user.email.split('@');
const superUser = user.email_verified && emailSplit[1].toLowerCase() === superDomain;

if (!superUser) {
 // Either the user does not have the domain or they already have the role assigned
 console.log(`User will not be assigned permissions because they do not have a verified email address with the domain ${superDomain}`);
 return callback(null, user, context);
}

const params =  { id : user.user_id };
var data = { "permissions" : [{"permission_name" :"do:something" ,"resource_server_identifier" :"test123" }]};

management.assignPermissionsToUser(params, data, function (err) {
  if (err) {
    // Handle error.
    console.log(err);
  }
  console.log("success - role assigned");
  return callback(null, user, context);
});

}

If you are signing up a new user via a database connection (email/password) who has not verified their email address yet, then the permissions won’t be assigned (if you’re signing up with a social connection such as Google, the email should be verified). If this is the case, then you can throw an authorization error if they have the super domain yet their email is not verified. Sample Use Cases: Rules with Authorization

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.