Need help with scopes/permissions in my laravel/auth0 flow


Okay, to explain what I want to achieve first. To learn auth0, I’m setting up:

  • A laravel web application that will hold a catalog of - lets say - football teams. (FootballTeamController that handles FootballTeam resource (with the eloquent orm)
  • I need api routes in the same laravel application, to be able to access the same catalog from a total different application (or if I want to rebuild the front end to be JS based application with ajax calls).
  • Auth0 to handle users and permissions (create:footballteam, read:footballteam, etc.)

I’ve been reading up and followed several tutorials / articles, and managed to get the api routes to work with permissions/scopes through the CheckJWT middleware suggested here; Auth0 Laravel API SDK Quickstarts: Authorization - but that is when I’m requesting tokens through the client_credentials grant type on a machine to machine application.

My problem is - I want to achieve the same with my web routes. I’ve been able to authenticate the users following this tutorial; - but I cannot find a way to check scopes/permissions for the users for my api (the api created in the auth0 dashboard). I really just want to make sure not everyone can create football teams in my catalog :smiley:

So, I would appreciate if someone could point me in the right direction. Articles, tutorials, anything that could help me understand this better… I’m just stuck atm. :thinking:

And if you think I could have used a better approach/flow - let me know! I want to get this right :slight_smile: