I understand from documentation, Auth0 API register, creation of Roles and permissions. assigning roles and permissions to users. But I fail to understand how it works end to end and how can I use it for role based authorization for my APIs.
I was hoping if someone could clear this confusion or guide me in the right documentation.
Thank @dan.woda, for your reply.
I want to use auth0 for role based authorization of my APIs. After setting up roles, permissions etc. mentioned in the enable RBAC docs, how the authorization flow will work. Is Auth0 sufficient for simple Authorization or do I need to develop code at my end for checking roles of users accessing my APIs ?
And if Auth0 is sufficient, then how can I tell Auth0 which APIs to redirect after Authorization success.
I might be understanding it all wrong. Please help.
One additional question on this: I don’t understand what “enable RBAC” does by itself. I don’t see permissions (permissions assigned to a Role, Role assigned to user) in the access token until I also click “add permissions in the access token”
I think I need more context to understand the questions you are having. Where is the ‘enable RBAC’ you are referring to, and could you please expand on the permissions issue?
I believe I solved my issue, but please correct me if I’m wrong.
For one of our auth0 defined APIs I did the following:
toggled “RBAC enabled” to on under the API settings
added a custom permission/scope under this API
I then added this same permission to a Role, then added the Role to a User. When authenticating this user I expected to see the scope (defined in #2 above) in my accessToken. After a good day of playing with this I realized that I also needed to specify the same scope in my auth request (to /oauth/token) in the “scope” query param. The issue may be that I’m not grasping some fundamental oauth concept, but I was hoping the scope would come back in the accessToken regardless if I specified it in my request.