Auth0 Home Blog Docs

How can I restrict User access to clients/Applications..?

authorization-extens
authorization

#1

Here is the scenario:
I have 3 client ( 3 different applications) defined in auth0.
Client /Application A
Client/Application B
Client/Application C
I have 2 User 1 & 2. SSO enabled.
Where in User1 will have access to A & B not C and User 2 having access to B & C not A. How can I manage this in auth0…?
In Users Details - I see “Authorized Clients” I see a message “There are no applications to display.” how can I link Client/Applications to User…? Once I link it, will it be part of “app_metadata” or "user_metadata " …?
Hope I make sense, I am new to auth0, I am trying to achieve above scenario, which is common in any organisation.
Thanks in Advance


#2

There are a couple of things worth noting here, the Authorized Clients is meant to show client application for which the user gave consent to access certain API’s/services. The list will be populated based on end-user usage of client applications and is not meant to provide any kind of configurable access policy between a user and client application.

In addition, for the scenario you mention there may be more than one option available. For example, you could segregate your users across different connections and then associate application A and C to their respective connection and application B to both connections. This would mean a user in the connection only associated to A would not be able to login into C.

However, the above implies managing multiple connections which may or may not be what you want. Another possibility would be to have all users in the same connection and then implement the authorization policy after the actual authentication. This would mean that any user could authenticate (the credentials would be valid) into any application, but then there would be an immediate second step denying the access to the application if the user in question is not allowed. The access policy could be in the application itself or implemented as a rule.

In conclusion, a definitive recommendation would probably require knowing all the details and it can also boil down to a matter of preferences.


#3

Sorry, was not able to add comment to answer from Jmangelo.
@jmangelo: On the scenario. First, we are looking for a way to do mapping b/w User & Applications/Clients in auth0, may be as part of user profile (is there way to configure this), then use this mapping details to show what all applications user has access to, when user is logged into one of the application(Refer attachment to give you an Idea). Second, use the mapping in a rule(as you suggested) after authentication & before authorization to check if user is authorized to access an application. Third, to configure User & Application/client specific permissions. ![alt text][1]


#4