Following this guide, I can add API authorizer.
- How do I connect user object in DB with Auth0 user when a new user registers?
- How do I get user id from API gateway to know who is doing the request?
- How/where do I store permissions for users?
Following this guide, I can add API authorizer.
Q1 I would say there is not sufficient information to answer this; Auth0 can be used as an identity store (credentials stored in the service itself so registration also happens at Auth0) or just having the authentication flow got through the service (but retaining credentials in custom store; see custom databases). You should clarify your scenario and requirements as it is not clear at lest to me what would be the solution for your question.
Q2 The access token sent to the API gateway and validated by the custom authorizer would contain a sub
claim that is the user identifier at Auth0. It’s also possible to add additional custom claims to the access token.
Q3 Again, depending on the requirements around permissions and also characteristics of such permission you could either store them in your own store or directly as part of the user profile. If you require very flexible management of those permission it will likely be better to store them in your own store, however, storing them in the user profile makes them easily available for authorization decisions that you perform in rules. In conclusion, it could likely depend on the exact scenario and also personal preference over pros and cons of different storage approaches.