Proper way to check for roles/permissions on nextjs backend

faabiopk · December 20, 2022, 1:01am

Hello,

In my application, I have a set of roles and permissions, which I added to my identity token claims using custom flows. These are used to hide/show UI elements. I am using NextJS and the auth0-nextjs SDK.

I am not sure what is the proper way of checking authorization on the backend. Of course I have the withApiAuthRequired wrapper for the functions, but I am not sure how should I check if a user has a specific permission. Is there a simpler way of doing that instead of doing an API call to the ManagementAPI? Can I use the accessToken somehow? It does not seem to be a JWT.

Thanks!

rueben.tiow · December 20, 2022, 4:57pm

Hi @faabiopk,

Thanks for reaching out to the Auth0 Community!

I understand you need help getting the user Roles/Permissions on your Next.js app.

I recommend using the getSession method to get the Roles/Permissions in the custom claim from the ID Token. For example:

import { getSession } from '@auth0/nextjs-auth0';

// pages/admin.js
export default function Admin({ error }) => error ? <div>error<div> : <div>Admin Section</div>;

export getServerSideProps = ({ req, res }) => {
  const session = getSession(req, res);
  if (!session?.user['http://your-namespace/roles'].includes('admin')) {
    return { props: { error: 'Forbidden' } }
  }
}

I hope this helps!

Please let me know how this goes for you.

Thanks,
Rueben

faabiopk · January 4, 2023, 11:42pm

Hi Rueben!

Yes, I need help, but in the backend instead. I was able to use the roles/permissions on the frontend without problems.

I am not sure how to use them on the backend of NextJS, could you point me to the direction? This information is on the ID token, right? On the backend I should NOT use it for authorization, correct?

Thank you

rueben.tiow · January 5, 2023, 6:11pm

Hi @faabiopk,

Thank you for your response.

For the backend, I recommend using the Management API’s Get a user’s roles and Get a User’s Permissions endpoints.

Reference docs:

Get Management API Access Tokens for Production doc for more details.
View User Permissions
View Roles Assigned to Users

And to reiterate, you could append the user’s Roles and Permissions as custom claims in the Access Token. Please make sure to include the audience parameter when requesting an access token for it to be a JWT. See this doc for details.

Thanks,
Rueben

system · January 19, 2023, 6:12pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Access permissions assigned to a role using Auth0 Next.js SDK Help user-profile , user-management	0	902	June 12, 2023
Implementing RBAC with Next.js SDK Help user-profile , user-management	2	2196	January 31, 2023
Roles and permissions from Auth0 Extension not being added to id token in Next app Help classic-universal-login-experience , login-experience	4	1751	July 27, 2023
How can I get user roles client side? Help management-api , roles	4	2635	February 26, 2024
Next.js API Routes RBAC Help nextjs	2	2900	December 22, 2022

Proper way to check for roles/permissions on nextjs backend

Related Topics