Auth0 Home Blog Docs

How to restrict users on specific end points fo the WEB API


#1

I am using machine-machine authentication using auth0.
My WebAPI has about 8 end points and I need to restrict specific end points by the user. How can I achieve this. The rule has to be set at the client level.


#2

Have you looked into scopes (under Applications in auth0 dashboard) - and if using .net web api those will need to be translated to claims (requires a custom filter). You can then use those claims to lockdown the endpoints/methods. For example if you add a scope of read:messages" then you decorate your method with [Authorize(“read:messages”)].

This is helps I can add more info if you are using .net web api core 2.0

Also some things are unclear - you say user but also say machine-to-machine.


#3

thanks for the reply.
I am referring to each machine-to machine setup as a user as I will have multiple of such users.

I added scope to the API, but the token is not including it. Do I need to specifically add the scope anywhere else in the auth0 interface?