Hi there,
In our UI, we want to render certain elements based on the user’s privileges.
Using auth0 actions, I can add the user’s roles to the ID token (described here: , but not specific privileges.
Is it intended that the UI should only differentiate based on roles, or is there a recommended way to include privileges in the ID token as well?
You are correct when it comes to assigning permissions to roles, then adding them as custom claims in the ID Tokens using Actions.
Otherwise you can also use RBAC in order to to add specific permissions to the user profile using the Auth0 Dashboard directly or the Management. You can check the Assign Permissions to Users documentation.
Thanks for your response! So, I’d need an extra HTTP request to retrieve that information—got it. I have two more questions:
The @auth0/auth0-angular package doesn’t support custom API calls. So, I’d need to implement my own Auth0 service for that, correct? Is there a reference implementation?
We set the permissions on an organizational level. I just checked https://manage.auth0.com/api/users/[my_user]/permissions and they where empty. I have read and write permissions for specific orgs. Is there an endpoint to retrieve permissions per user per org?
I found the “Get user roles assigned to an Organization member” endpoint, so retrieving roles is an option. However, since it requires the Management API, I’d rather not expose a Management API token in the UI, meaning I’d need to create an extra endpoint in my backend.
That feels like a lot of overhead, considering the permissions information is already embedded in the access_token, which I have in the UI—but shouldn’t decode there.
Is there a best practice for handling this scenario?
You are correct with the statements mentioned above. Since you are using a SPA, it is not recommended to pass the Management API access token to the app directly, nor decode it there.
The easiest approach would be creating multiple roles with the intended permissions and add then to the ID token via custom claims using Actions. You can also check out this related Knowledge Article since it provides links to different helpful documentation articles on the matter.
This might not suit your particular use case, but permissions can be leveraged using the Management API inside Actions, as detailed here.
Even though it might require more work, in order to use the Management API endpoints from the application side, as you have mentioned as well, it is considered best practice to proxy the search request from the SPA through your backend via a new search endpoint. This would be the secured recommended approach. The solution on this community post provides a detailed explanation.
Thanks that helps a lot. We will start with one permission per role and if it gets too complex we will create a privileges endpoint in our server which utilizes the management api.