Restrict M2M Application using Management API to a given connection

cedric.pronzato · October 6, 2022, 1:46pm

Hello,

I wasn’t able to find a way to restrict an M2M application using the Management API to only a connection or a set of connection (same toggle button view we have the the other type of application).
If not it means that any M2M application with Management API can (for example) modify all the users of all the database connections, which is not what I expect.

Did I miss something?

Regards,

john.gateley · October 6, 2022, 2:25pm

Hi @cedric.pronzato

You can do this, somewhat clumsily, with the permissions on the API the M2M application is getting a token for. The permissions for the API should be something like read:conn1, write:conn1, read:conn2, write:conn2. Then your M2M app should only get the permissions it needs, like read:conn2 and nothing else.

Auth0 is rolling out Fine Grained Authz, and this may help.

John

cedric.pronzato · October 6, 2022, 3:05pm

Thx @john.gateley

while your answer seems to match my requirement, it is a bit unclear on the following:

seems that I cannot set this kind of permission in the UI, do you mean it as to be edited using an API call? (or it is not in the My M2M App>APIs> Permission section)
not sure to get the syntax. Ie want to only allow updating user, so something like: update:users:conn2 (mixing your answer and the current permission format I see)
is there any documentation page?

Thank you for your support,
Regards,
Cedric

john.gateley · October 7, 2022, 1:10pm

Hi @cedric.pronzato
In the Auth0 dashboard, go to Applications->APIs and choose your API (not the management API, the one you are using for the M2M app).
On that page, there is a tab for permissions.
This is where you edit the permissions.

The syntax is flexible, use what you think best.

John

cedric.pronzato · October 7, 2022, 1:24pm

Thank you @john.gateley

but my concern is the Management API, I want to restrict permissions on given connection to allow adding/modifying users.

For this my expectation was to create multiple M2M applications (that I can give to different backends) with the Management API enabled but only allowed to modify connection database they are expected to.
I do not want to provide applications with Management API enabled allowing to modify any database. It is a bit crazy and not secure.

Regards,
Cedric,

john.gateley · October 7, 2022, 1:35pm

Hi @cedric.pronzato

So sorry, I misread your question.

The management API is extremely powerful. It should only be accessed from a secure platform, such as a secure backend to a web app. Never from the browser.

Because of this restriction, the permissions aren’t really finer grained. Since the platform is secure - YOU have control over the source and you can control what is done with access.

John

cedric.pronzato · October 7, 2022, 1:50pm

I do not completely agree with your statement that is does not require Auth0 to support fine grained access.
As for analogy in a SQL server, you are saying “no need of users on different databases”, just secure your root user.

I do not intend to use this application into a browser, it is for backed purposes. But I have different customers so different Auth0 connection databases and associated applications.
Each of my different customers may have need to perform update on their database connection and must not be able to perform action on database connection of the other customers.

Auth0 was already well designed to define which application can use which connection. But when it comes to the Management API, all is root:root

Regards,
Cedric,