I’m new to Auth0 and trying to setup a development environment that takes users with an email domain of “@example.com” and grants them access to every API with every permission. The example email would be that of my organization. Any help would be greatly appreciated.
To achieve this, you could enable RBAC for your API, and then create a role that has all of the permissions. You could then use a rule to automatically assign this role to users who have the verified email domain:
function (user, context, callback) {
const ManagementClient = require('auth0@2.34.2').ManagementClient;
const management = new ManagementClient({
token: auth0.accessToken,
domain: auth0.domain
});
const assignedRoles = (context.authorization || {}).roles;
const superRoleName = 'superRole';
const superDomain = 'example.com';
const emailSplit = user.email.split('@');
const superUser = user.email_verified && emailSplit[1].toLowerCase() === superDomain;
if (!superUser || assignedRoles.includes(superRoleName)) {
// Either the user does not have the domain or they already have the role assigned
return callback(null, user, context);
}
const superRoleId = "rol_ABC123";
const params = { id : user.user_id };
const data = { "roles" : [superRoleId] };
management.users.assignRoles(params, data, function (err, user) {
if (err) {
// Handle error.
console.log(err);
}
console.log("success - role assigned");
return callback(null, user, context);
});
}
Thank you @stephanie.chamblee for the guidance! Is there a way to do this with scopes to not expose the role type? This is a specific request from my client.
var parms = { id : 'USER_ID'};
var data = { "permissions" : [{"permission_name" :"do:something" ,"resource_server_identifier" :"test123" }]};
management.assignPermissionsToUser(params, data, function (err) {
if (err) {
// Handle error.
}
// User assigned permissions.
});
@stephanie.chamblee in testing the following rule, I’ve found that it does not assign the permission to the user. Is there something I am missing?
function (user, context, callback) {
const ManagementClient = require('auth0@2.34.2').ManagementClient;
const management = new ManagementClient({
token: auth0.accessToken,
domain: auth0.domain
});
const superDomain = 'example.com';
const emailSplit = user.email.split('@');
const superUser = user.email_verified && emailSplit[1].toLowerCase() === superDomain;
if (!superUser) {
// Either the user does not have the domain or they already have the role assigned
return callback(null, user, context);
}
const params = { id : user.user_id };
var data = { "permissions" : [{"permission_name" :"do:something" ,"resource_server_identifier" :"test123" }]};
management.assignPermissionsToUser(params, data, function (err) {
if (err) {
// Handle error.
console.log(err);
}
console.log("success - role assigned");
return callback(null, user, context);
});
}
I just tested your rule in my own tenant using my own domain/permission settings, and it looks like it is working as expected.
To help troubleshoot what might be going wrong, you can install the “Real-time Webtask Logs” and watch some logs during a login flow:
function (user, context, callback) {
const ManagementClient = require('auth0@2.34.2').ManagementClient;
const management = new ManagementClient({
token: auth0.accessToken,
domain: auth0.domain
});
console.log(`user email: ${user.email}`);
console.log(`user email address has been verified: ${user.email_verified}`);
const superDomain = 'example.com';
const emailSplit = user.email.split('@');
const superUser = user.email_verified && emailSplit[1].toLowerCase() === superDomain;
if (!superUser) {
// Either the user does not have the domain or they already have the role assigned
console.log(`User will not be assigned permissions because they do not have a verified email address with the domain ${superDomain}`);
return callback(null, user, context);
}
const params = { id : user.user_id };
var data = { "permissions" : [{"permission_name" :"do:something" ,"resource_server_identifier" :"test123" }]};
management.assignPermissionsToUser(params, data, function (err) {
if (err) {
// Handle error.
console.log(err);
}
console.log("success - role assigned");
return callback(null, user, context);
});
}
If you are signing up a new user via a database connection (email/password) who has not verified their email address yet, then the permissions won’t be assigned (if you’re signing up with a social connection such as Google, the email should be verified). If this is the case, then you can throw an authorization error if they have the super domain yet their email is not verified. Sample Use Cases: Rules with Authorization