First some context to my question:
- As example I have a blog application build with node express.
- The Authorization Code Flow is used to authenticate users.
- There are 2 users, user A is a normal user with no roles. User B has the role admin, given to him via the auth0 dashboard.
- In my application there is a route called /admin-dashboard only users with the role admin should be allowed to access this route.
In my application I would like to see/check what role a user has, so I can limit or allow access to certain routes. First I thought about using scopes, but from information in the docs it seems users can allow or deny any scope. This wouldn’t be of much use because users could then grant them self the scope
admin:dashboard for example.
What would be the recommended approach to this problem. There was some information in the docs about rules but no information on how to attach a role to a user given to them in the auth0 dashboard. Only based on email. Or is it common practice to make this authorization myself as described below?
- Authenticate the user.
- Check the corresponding role in my database.
- Manually attach the role to the user object.
This example gets really close to want I want to do. The only downside is that it is using scopes. Is it possible to add scopes to the access token based on the users role. Or is this not the recommended way to use scopes.