Login token to use APIs

Hi all!

I am trying to figure out some solution to my general problem. I am trying to utilize Auth0 as our IDP, based on that I created some Users and assigned them some roles/permissions. My idea is when a user signs in, they should be able to use their access token to fetch specific data from our API applications (everything is static at the moment, but it’s just a proof of concept). So I have two API applications with their own scopes and those scopes are assigned to the roles assigned to the users. Now comes my two problems:

  1. When the user logs in, their access token does not contain their permissions, meaning that during authorization check in the APIs, it’s impossible to check if the access token belongs to a user with that specific scope (permission? role?) assigned to them.
  2. The APIs talk with eachother via API calls through an AWS API Gateway, there is an authorizer there to check if the token is valid which works generally fine, the problem is in the APIs themselves, if I check for the audience inside the access token, the same code (API) cannot be used to serve M2M AND end users who login to the platform, because there is no way to understand wether the token was generated for M2M communication vs end customer with username and password authentication/authorization

Am I getting the whole OAuth topic wrong? I felt like using the login + assigning roles/permissions/scopes to users would allow me to implement some kind of token based authorization on each API application level, but those permissions/scopes are not part of the access token generated by Auth0 so it’s hard to do that. And the other problem: If I check for audience in an access token, when a user logs into a Web Application, their audience is that web application, so I cannot make an API respond to both M2M communication and end user communication if I should check if the token given has the correct audience during M2M communication.

Thank you for your help!

Hi @ahmed.sabaa,

You can have the permissions added to the token by toggling a setting on in the API settings. It is shown in this doc:

https://auth0.com/docs/manage-users/access-control/configure-core-rbac/enable-role-based-access-control-for-apis#dashboard

The audience (or sub claim in the token) should be the API that is the intended consumer of the token.

I’m not sure I have a clear picture of the issue you are describing here, could you give an example?

1 Like