In my application, I have a set of roles and permissions, which I added to my identity token claims using custom flows. These are used to hide/show UI elements. I am using NextJS and the auth0-nextjs SDK.
I am not sure what is the proper way of checking authorization on the backend. Of course I have the withApiAuthRequired wrapper for the functions, but I am not sure how should I check if a user has a specific permission. Is there a simpler way of doing that instead of doing an API call to the ManagementAPI? Can I use the accessToken somehow? It does not seem to be a JWT.
Yes, I need help, but in the backend instead. I was able to use the roles/permissions on the frontend without problems.
I am not sure how to use them on the backend of NextJS, could you point me to the direction? This information is on the ID token, right? On the backend I should NOT use it for authorization, correct?
And to reiterate, you could append the user’s Roles and Permissions as custom claims in the Access Token. Please make sure to include the audience parameter when requesting an access token for it to be a JWT. See this doc for details.