How to "Protect a route based on specific claims" for "Standard Web Application" (NodeJS/Express) and

Hi there

I’m following the Express Quickstart and the Auth0 Express Pug tutorial to protect a standard web application. Login / logout works fine.

But now, I need to protect the application further, so that only users with a certain role can access certain routes. I found an example page with some brief info, but checking claims as failed miserably so far. When I examine the user info in req.oidc.user, I cannot see any role info, despite the fact that I created a role and assigned it to the user in the Auth0 dashboard.

I did search for this extensively, but have not yet found a good NodeJS/Express example. Instead I’ve seen lots of discussions about “Authorization Core” (which I’m using AFAICT) vs. “Authorization Extension”, APIs and C#
In any case, while the standard authentication was actually super simple, the authorization seems to be a lot harder then one would expect. Can someone point me to the pieces I’m missing, a working example, tutorial, documentation? Thanks!

Happy holidays!
Will

Ok, either my question is super stupid and I’m simply missing the obvious, or this standard use case is too complex of Auth0? In any case I guess I’ll have to solve this myself – without Auth0.

Hi @uscheidegger ,

Sorry for the huge delay. I hope you were able to solve the issue. If not, looks like you are close to the solution. I checked the express example you shared, and it looks like it’s checking the claims for a user. In Auth0, you will have to add those roles in token using rules to receive user permissions in your Access Tokens. Check this example here: Sample Use Cases: Rules with Authorization
Then you can map those claims in your express app.

Hope that helps!

Kudos @lily.wisecarver for helping on this one!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.