Maximum number of roles can an identity have

nedumarans · February 4, 2019, 5:37pm

Hi All,
would like to know the limitations of Auth0 roles.we have a cloud application for managing a plant. Plant is a highly complicated structure having 1000’s of devices and each device having 10’s of operations. we would like to implement fine grained authorization using roles. For example if there is a device X and user can person 10 operations, we would be creating 10 roles for this device x like x_op1,x_op2,x_op3 etc. Depends on the requirement, users will assigned with these roles (one or many). Every time when an user tries to access the device by using some api for example /Devices/X/op1, /Devices/X/op_2, the corresponding role or group name will be check for membership for the logged in user from access token. If the user is member group/role specific for that device and operation like x_op1, he will be allowed or denied. Implementing this might result in creation of 10s of thousands of roles and each user given 1000’s role membership.Could you please lets us if this scenario will be supported by Auth0. How many maximum roles can be created and how many roles an identity can be part of? This will really helpful for us to decide the authorization mechanism for our product.

markd · February 5, 2019, 2:50am

In a sense Auth0 does not do roles, at least not “natively”. You can add “role” or “group” information to a user profile and build your authorization controls (using rules) around that information.

In your case, the amount of data you are talking about may be too much for the auth0 data store, so you may want to use an external data store for improved scalability.

It is worth thinking of Auth0 as the “OAuth/OIDC glue” that sits in between your apps and your user data repositories. Those user data repos can be anywhere … google, facebook, Auth0, PostgreSQL, MongoDB, etc.

You may want to look at the authorization extension, though the data set you are talking about may be too much for it as well.

konrad.sopala · February 6, 2019, 4:31pm

Let us know if you have any other questions down the road!

nedumarans · February 6, 2019, 4:54pm

@konrad.sopala and @markd Thanks a lot for the input. Also we have got a scenario to share the roles among multiple applications. Since we have three different components (one web app, one native mobile app and one common API layer), all will be registered as different applications with different clientid and secret (due to compliance requirements can’t share the same client id and secret in all places). All three components are part of the same product. The user can login via mobile app or web app but should have the same roles. As per the documentation, looks like we can’t share the roles and permissions among different applications and only way is to duplicate. Data duplication is something not acceptable for us as we would eventually would have thousands of roles. Is there way to handle this without any data duplication?

markd · February 6, 2019, 5:09pm

Hello @nedumarans,

No duplication is necessary. Whether you store your user data (and associated group/role/scope data) directly in Auth0 or an external data store, all your apps and APIs can reference that one data store for authentication and authorization. You could also store user authentication data in Auth0, while storing you group/role/scope data in an external data store, and pull that data in via a rule.

For example, where I work, we have many applications and APIs, but all our user data is stored in a single Auth0 user database, and all our applications and APIs depend on that single database. We also have some callouts to external data stores for accessing user data that is better stored outside Auth0.

nedumarans · February 7, 2019, 3:51am

Hello @markd,
The documentation says the roles and permissions are tied to applications. if we need the same , need to duplicate them.
“Currently, roles and permissions are set on a per-application basis. If you need the same roles or permissions on another application, you’ll have to create them separately.” (Authorization Extension).
if you have already solved this problem of referring single source for roles for all applications, could you please share you approach?

Regards,
Nedu

markd · February 7, 2019, 4:36am

Hi @nedumarans,

My apologies … I did not realize you were looking at the authorization extension. We did use the authz extension for one of our apps, but we had some trouble with it (occasional 500 errors when the webtask.io container got recycled) so we did not deploy it beyond that one app.

(It is worth mentioning that Auth0 is working on a replacement for the authorization extension.)

For the rest of our apps, we store roles in the user’s profile in Auth0 (our user data store is an Auth0 hosted database). In this way, the roles can be shared across all applications.

So, for example, we have something like the following in the user’s app_metadata:

"app_metadata": {
    "roles": [
        "role1",
        "role2",
        ...
    ]
}

This specific model likely won’t work (not complex enough), given the number of roles you are looking at, but you could modify this model to work for you. Again, I expect you would probably want to use an external database to store this data. The main difference in this model is you don’t get the group-role-scope mapping logic of the authorization extension. You have to build that yourself.