I need more explanation about Roles

I need some help here. I am in a place where I can see the JWT on my Node server from my Vue app and that is working, so I can get some secure routes going, good. Next I need to assign some roles and this is where things get a little confusing for me. I am a newer programmer and came to Auth0 to simplify my authorization and it has been anything but easy. I used Passport before in my Node apps but I wanted to offload the maintenance and security risk. Anyway. My application requires users to pay to use my application and currently they don’t have an easy way to do that, they told me to use rules. So my server will end up taking the payment and then passing the role to Auth0, as I understand it.

I currently have a /role route going that just sends paid to the route. So when Auth0 hits that route I can set the role to paid, then I should be able to access the route.

I added a rule to Set roles to a user in the Dashboard of Auth0, but I need to make an API call and am pretty confused about how to approach this.

All they show is a single function for me to work in, which wouldn’t be a problem but I don’t know how to make an API call from within the function to my server. I would normally use Axios but I don’t think I can set a dependency. So I need to know how to make the call, is it promise or callback-based?

Also how do I set the role if this stage is completed, is it `user.app_metadata.role’ ? I’m not sure.
Then how do I tell Auth0 what user to set this too? Do I need to pass through the JWT from my server? This is all very confusing to me right now. Auth0 provides documentation but not for a complete use case, I have to piece it together which is not working out so well and the deeper I go the harder it is for me to find examples that work for my use case.

Hello @illcrx,

You are headed in the right direction. I suspect there are many ways to achieve what you want. I hope the following is helpful:

  • As you say, you need some way to control access to your app based on a user’s paid status. Access control is one of the use cases for rules so using a rule is a good choice here. The rule can query the user’s paid status either from the user’s own profile (app_metadata) or from an external source like an API or database. It is up to you how you want to do this. Storing paid status in the user’s profile does have the advantage of avoiding API calls once paid status is set.

  • If you are going to store paid status in Auth0 then you need a way to do that. You can use a rule here as well. This could be the same rule as above or another one. If you use a separate rule for this, I suggest putting it ahead of the access control rule above. Again, the rule can query an API or external database for information.

  • Alternatively, your app could update the user’s paid status itself, using the management API to update the user’s app_metadata.

Remember that rules are just node.js / javascript code so more or less anything can do in node.js you can do in a rule. This blog post is a bit long, but may have useful information for you:

Ok, you cleared something up for me a bit. Since I have to manage payments on my side anyway it’s probably best to use the Management API to set user roles if they pay, or miss payment. I think I will look into that more.

Thank You !

Let us know if you have any other questions down the road!