How to limit access to management API by creating roles

For frontend I have React application and for backend I have node-express. And I want to use management API to manage users/roles etc. My use case is as below:

  1. From front end admin wants to create new user.
  2. Now I am calling a backend API (/createUser)from react, to handle this request. I am passing the access_token which i generated using the “getAccessTokenSilently()” react hook. This backend API will check for required permissions in the token.
  3. In /createUser API, i am generating a new management API token by sending request to /oauth/token using client id, secret and audience of mgt api application.
    4.Once i get token in /createUser, i send POST request to /api/v2/users along with authorization token header.

Now coming to my question, i want to create different roles for management api. For example, admin should be able to do CRUD on /api/v2/users while manager should be allowed to do only read/update on this. The problem i am facing is, when i generate mgt api token in step 3, i either get all scopes of mgmt api or i dont get any permissions depending on how i configure mgt api in auth0 dashboard. But i want to have middle ground between this. Please suggest best approach for this.

I have found 2 workaround for this.

  1. create multiple API in auth0 and authorize to access management api. And assign limited scopes to these API. For example, i will create admin API and assign all scopes of mgt api and i will create manager api and assign limited scopes of mgt api. And while generating token from /createUser, use the appropriate api client id, secret to generate tokens depending on role.

  2. Instead of creating multiple apis, i created one api, and added my own scopes which are very similar to mgt api scopes(1-1 mapping). So i check role based access to /createUser itself and inside it i generate the mgt api token. Now although this token has all mgt api scopes, the user cant come to this stage as he is checked for scopes in /createUser only.

Please suggesr how can this be achieved. Thanks in advance!

Hello @chetanbc welcome to the community!

I think you’re on the right track with both of your approaches, although you might be able to make it even more simple by utilizing RBAC. At a high level you’d basically just need to create the required roles in Auth0, and implement logic on your backend to allow users to do only the actions they are authorized to do. For example, you may have an admin role with the CRUD permissions and a manager role with only read/update permissions. It’s true that the Management API access token you create on your backend may have all scopes, but you should be able to enforce control based on the permissions each user has. I do believe both of your approaches should suffice, I just wanted to add to this :slight_smile:

I hope this helps to clarify!

Hello @tyf,

Thank you for the reply.

I am going with 2nd approach. And I am using RBAC to check roles in the backend as you explained. Thanks for the clarification!

1 Like

Sure thing @chetanbc happy to help! :smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.