Hi, thank you for the prompt reply.
I’m not sure but I think my Auth0 Management API only related to my React. Custom API seems like an independent thing.
@auth0/auth0-react and started with the Single Page Application.
I also installed
Auth0 Authorization 2.8 extension, not sure if that changes anything.
This document describes the Auth0 Management API, which is meant to be used by back-end servers or trusted parties performing administrative tasks. Generally speaking, anything that can be done through the Auth0 dashboard (and more) can also be done through this API.
Your reply reminds me of this paragraph in the documentation. So my understanding so far is like this:
There’s no general place for all permission. Whenever I want to do some action, I need to go through these steps.
Step 1: I need to know what kind of action I want to do in order to get the right accessToken: I need to get token from Auth0 Management API if I want to CRUD user, or I need to get token from Custom API if I want to CRUD any other database that doesn’t exist in Auth0. So basically Auth0 Management API and Custom API will never communicate with each other since they’re responsible for different databases.
The accessToken I get in this step will include all permissions of the current user. (I assume this since I tried to send an empty string with
getAccessTokenSilently and I still got every permission)
Step 2: I have to send the accessToken back to API to make sure the current user has the permission to do the action. The way that API verifies the user is by using scope and permission.
I guess how API uses scope and permission is it simply compare them. If the string matches the permission/scope, that means the current user can do this action.
I got a problem here is: I thought that scope should be passed along with the request for API to check, but I didn’t see it in the quick start example, which confused me how should API verify the user’s permission.
Step 3: Once the current pass the permission check, for Auth0 Management API, it’ll do the action by itself, for Custom API, I’ll have to deal with the database somewhere in my project, like
server.js or somewhere else.