How can I control api execution based on app_metadata value?

How can I control api execution based on app_metadata value?

I think you can authorize the API itself with an access token.
I would like to know if it is possible to control api execution by the value of metadata.

For example, if app_metadata is {"group": "g1"}, I want to only allow access to resources for g1. I want to block requests with different metadata such as g2 and g3.

Here are my current ideas:

  • Added app_metadta as custom claim to access token. Check the values obtained from parameters and claims during api execution.
  • Execute the user-management API on the backend, get the metadata and compare it with the parameters of the api request.

Is it possible to use such a function?

  • scope
  • permissions

Any help would be greatly appreciated.

Hi there @s.kurihara welcome to the community!

I think your first bulleted idea is the best way to go about this - Add the necessary metadata as a custom claim in the access token. Once your backend/API verifies the token, you can perform any business logic based on the metadata available in the custom claim. I’d avoid using the Management API if possible due to the requirement to make an extra call to Auth0, rate limits, etc.

Hope this helps to clarify!

1 Like