RBAC for Regular Web App (Next.js but could be anything)

allen3 · July 2, 2024, 7:31pm

This is a question I’ve seen floating around but not definitely answered:

I have a next.js app that’s setup as a regular web application. However, the access token that’s given from a regular web application does not seem to have the capability of having permissions embedded in them. On the other hand, all the RBAC docs seem to point to using RBAC for an API, not a regular web app.

So if I have a next.js app that has some server actions I’m trying to gate with permissions, what do I have to do here? I’m already getting an access token from authenticating as a user, but this doesn’t have permissions – so do I have to make another to this endpoint: https://projectname.us.auth0.com/oauth/token \to get ANOTHER access token which does have permissions in them, and then using that second access token and its decoded permissions to authenticate my server action?

This is possible but seems wasteful to have to make another call to get a second access token, this time that’s loaded with permissions, because the regular web app access token doesn’t have RBAC built in to it.

tyf · July 5, 2024, 5:25pm

Hey there @allen3 welcome to the community!

Hmm - There’s no reason you shouldn’t be able to get permission in an access token when performing auth by way of a web app. This is of course assuming you have roles w/ permissiosn assigned to a user, RBAC enabled for the API registered in Auth0, as well as “Add permissions in Access Token” option toggled in API settings.

I just tested in our express webapp sample:

system · July 19, 2024, 5:26pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.