My company want to switch from an old “home made” authentication/authorization system to Auth0 for all of their applications (mainly regular AspNet Core App).
This ‘legacy’ authorization system is based on ‘permissions’ granted to user, which is very close (I think) to the RBAC permissions implemented in Auth0.
So I spent these last days trying to figure out how to leverage the RBAC permissions system to restrict access of my regular WebApp to some area, regarding who is logged in.
Thanks to this article, i’ve understood how to use the Role defined in Auth0 in my AspNet WebApp to do this kind of job :
But in my use case, I would to go further and use Auth0 permissions defined for these roles (which are more ‘fine-grained’ to me, and are closer to the concept of ‘permissions’ of my old system), instead of the role itself to check the access.
So I found this helpfull article :
But this is for protecting Web API. This will not work with my OpenId Connect Authorisation Code scenario, since there is no bearer Access Token to decode the scoped permissions from.
And that is what I begin to think: These permissions stuff are intended to secure API but not Regular WebApp, and so, there is no easy way to retrieve them, or at least, not from the (ID) Tokens I can get in my scenario.
Am I right ?
And so, what are the solutions if I want to retrieve permissions allowed to my connected user regarding its role ?
Should I put the permissions associated to the role as a custom claim in the ID Token ? (Thanks to a Rule) Is it possible to do that ?
Or should I rather request Auth0 API somehow, retrieve permissions for a role from there, and use these in my WebApp to check access ?