Auth0 Home Blog Docs

How to assign custom scopes to users?

users
scopes
api-authorization

#1

I have created an API and added some custom scopes, such as Message:Read, Users:Delete.

Where do I assign these scopes to a user? For example, that user Bob has the scope Message:Read.


Custom Login and hosted pages support
Adding API scopes to google-oauth2 token
#2

If you want to restrict the set of scopes that can be requested on a per-user basis then you can do so by implementing the associated access policy through rules.

A very simple rule example with an hardcoded access policy follows:

function (user, context, callback) {
  var _ = require("lodash");
  
  var req = context.request;
  
  // Get requested scopes
  var scopes = (req.query && req.query.scope) || (req.body && req.body.scope);
  
  // Normalize scopes into an array
  scopes = (scopes && scopes.split(" ")) || ];

  // Restrict the access token scopes according to the current user
  context.accessToken.scope = restrictScopes(user, scopes);
  
  callback(null, user, context);
  
  function restrictScopes(user, requested) {
    // Full list of scopes available hardcoded for demo purposes
    var all = "read:examples", "write:examples"];

    // Applies hardcoded logic to restrict the possible scopes;
    // replace with your access control logic that can perform
    // external requests or use data available at the user level
    var allowed;
    if (user.email === "user1@example.com") {
      allowed = "read:examples"];
    } else {
      allowed = all;
    }
    
    // Intersect allowed with requested to allow the client
    // application to request less scopes than all the ones the
    // user has actually access to. For example, the client
    // application may only want read access even though the
    // user has write access
    return _.intersection(allowed, requested);
  }
}

You should be able to reuse most of it though and just replace the logic that happens within the restrictScopes function to actually apply your business logic. Have in mind that the above is a very simplistic implementation as it assumes a single audience and does not take in consideration OIDC scopes that may or may not be important for your scenario; check the answer on this other question for an example of a rule that has notion of OIDC scopes.


#3

Thanks,

But I thought I can apply the scopes to a User in the App_MetaData field?

Or have I misunderstood.

Essentially, I want to secure certain RESTful endpoints to only those users who have the permission.

Thanks


#4

Thanks,

But I thought I can apply the scopes to a User in the App_MetaData field?

Or have I misunderstood.

Essentially, I want to secure certain RESTful endpoints to only those users who have the permission.

Thanks


#5

You can store the information that allows you to make the decision in app_metadata; however, you would still use the rule to check if the user has the right app_metadata information and issue the token with the scopes in accordance to the metadata.


#6