I am an Software engineer living in Japan.
I am having trouble developing a product using Auth0, and I would like to ask for your support.
I am currently creating an application with a SPA + API configuration.
The front-end is written in React, and the back-end is written by the Django framework in Python.
The authentication function is built using Auth0, and we aim to use RBAC to verify the JWT for requests from Frontend and whether it has the authority to execute the requested API.
OSS in use
I have cut out as much of the OSS as possible.
Install the Module
djangorestframework-auth0 with pip.
It has the same implementation as the following sample, e.g. it checks if the user has
As I found out, this OSS requires the Role and Permissions to be included in the app_metadata in the JWT.
What I want to achieve
I want the JWT’s app_metadata to contain roles and permissions. This is how we want to control access to the API.
Also, I haven’t imagined the operational flow when app_metadata is included in JWT, and I’d like you to introduce that information.
When a user logs in for the first time, the JWT is retrieved. If they then add a new Permission, I assume the new Permission is not added to the JWT issued at the first login, but is the only way to ask the user to re-login?