I’ve followed the quickstart steps for setting my Rails Web App with an Auth0 login as well as the steps for storing the userinfo in a session and logging out. What is the best practice for integrating this with an authorization library like Pundit?
How do I guarantee someone can’t simply modify the auth0 user session and appear as a different user? Normally Devise would handle creating a “current user”. How would I go about setting up something similar with Auth0?
I’m guessing local authorization has already been considered and I’m just missing something simple to make Auth0 and Pundit work together…
I don’t have experience with Pundit, but hopefully can help with the Auth0 side.
A token issued by Auth0 after successful authentication acts to identify the user (ID token) or allow access to a resource (access token). This token is signed by Auth0, and can be verified by the application or API.
Unfortunately, it doesn’t look like we have specific examples that include Pundit, but I found this repo that attempts to integrate. We also have a blog post about builds a rails API that could be helpful.