Hi,
For frontend I have React application and for backend I have node-express. And I want to use management API to manage users/roles etc. My use case is as below:
- From front end admin wants to create new user.
- Now I am calling a backend API (/createUser)from react, to handle this request. I am passing the access_token which i generated using the “getAccessTokenSilently()” react hook. This backend API will check for required permissions in the token.
- In /createUser API, i am generating a new management API token by sending request to /oauth/token using client id, secret and audience of mgt api application.
4.Once i get token in /createUser, i send POST request to /api/v2/users along with authorization token header.
Now coming to my question, i want to create different roles for management api. For example, admin should be able to do CRUD on /api/v2/users while manager should be allowed to do only read/update on this. The problem i am facing is, when i generate mgt api token in step 3, i either get all scopes of mgmt api or i dont get any permissions depending on how i configure mgt api in auth0 dashboard. But i want to have middle ground between this. Please suggest best approach for this.
I have found 2 workaround for this.
-
create multiple API in auth0 and authorize to access management api. And assign limited scopes to these API. For example, i will create admin API and assign all scopes of mgt api and i will create manager api and assign limited scopes of mgt api. And while generating token from /createUser, use the appropriate api client id, secret to generate tokens depending on role.
-
Instead of creating multiple apis, i created one api, and added my own scopes which are very similar to mgt api scopes(1-1 mapping). So i check role based access to /createUser itself and inside it i generate the mgt api token. Now although this token has all mgt api scopes, the user cant come to this stage as he is checked for scopes in /createUser only.
Please suggesr how can this be achieved. Thanks in advance!