Auth0 Home Blog Docs

How to check role of user in express application

Hello,

First some context to my question:

  • As example I have a blog application build with node express.
  • The Authorization Code Flow is used to authenticate users.
  • There are 2 users, user A is a normal user with no roles. User B has the role admin, given to him via the auth0 dashboard.
  • In my application there is a route called /admin-dashboard only users with the role admin should be allowed to access this route.

In my application I would like to see/check what role a user has, so I can limit or allow access to certain routes. First I thought about using scopes, but from information in the docs it seems users can allow or deny any scope. This wouldn’t be of much use because users could then grant them self the scope admin:dashboard for example.

What would be the recommended approach to this problem. There was some information in the docs about rules but no information on how to attach a role to a user given to them in the auth0 dashboard. Only based on email. Or is it common practice to make this authorization myself as described below?

  1. Authenticate the user.
  2. Check the corresponding role in my database.
  3. Manually attach the role to the user object.

This example gets really close to want I want to do. The only downside is that it is using scopes. Is it possible to add scopes to the access token based on the users role. Or is this not the recommended way to use scopes.

Just found out that you can restrict the scope using the Enable RBAC option in the custom API settings. When a user request certain scopes the custom API checks the role and grants the scopes if allowed.

This doesn’t quite solve the problem because the example blog express app is not a custom API. Also when using the Authorization Code Flow to authenticate a user I don’t know if it wants the admin scope admin:dashboard or it is a normal user.

Hi @Luukth, I replied in your other thread - Trouble understanding scopes vs permissions

This doesn’t quite solve the problem because the example blog express app is not a custom API.

Well, you can think a regular web application as a client (the frontend) and an API (the backend) at the same time. You can create the client and an API in the dashboard and use the built in roles.

Also when using the Authorization Code Flow to authenticate a user I don’t know if it wants the admin scope admin:dashboard or it is a normal user.

I addressed this in the other thread

If you need to know the specific Role of a user in your application, the only way of knowing it is by adding a custom claim via rules (example here - https://auth0.com/docs/authorization/concepts/sample-use-cases-rules#add-user-roles-to-tokens)

Let me know if you have any other doubt. I’m currently working on the docs to give better guidance.

Thanks,
Marcos

Hi @Marcos_Castany, many thanks for your reply on both threads. I didn’t fully understand the uses of scopes and roles/permissions, I do now :slight_smile:.

I have chosen to use roles in the (Profile) idToken. For now all my logic is in one express app, I can attach the role to the req.user.roles object using passport.

Lets hope these threads can help others.

1 Like

Thanks a lot for sharing it with the rest of community @Luukth!

1 Like