I wasn’t able to find a way to restrict an M2M application using the Management API to only a connection or a set of connection (same toggle button view we have the the other type of application).
If not it means that any M2M application with Management API can (for example) modify all the users of all the database connections, which is not what I expect.
Did I miss something?
You can do this, somewhat clumsily, with the permissions on the API the M2M application is getting a token for. The permissions for the API should be something like read:conn1, write:conn1, read:conn2, write:conn2. Then your M2M app should only get the permissions it needs, like read:conn2 and nothing else.
Auth0 is rolling out Fine Grained Authz, and this may help.
while your answer seems to match my requirement, it is a bit unclear on the following:
- seems that I cannot set this kind of permission in the UI, do you mean it as to be edited using an API call? (or it is not in the My M2M App>APIs> Permission section)
- not sure to get the syntax. Ie want to only allow updating user, so something like: update:users:conn2 (mixing your answer and the current permission format I see)
- is there any documentation page?
Thank you for your support,
In the Auth0 dashboard, go to Applications->APIs and choose your API (not the management API, the one you are using for the M2M app).
On that page, there is a tab for permissions.
This is where you edit the permissions.
The syntax is flexible, use what you think best.
Thank you @john.gateley
but my concern is the Management API, I want to restrict permissions on given connection to allow adding/modifying users.
For this my expectation was to create multiple M2M applications (that I can give to different backends) with the Management API enabled but only allowed to modify connection database they are expected to.
I do not want to provide applications with Management API enabled allowing to modify any database. It is a bit crazy and not secure.
So sorry, I misread your question.
The management API is extremely powerful. It should only be accessed from a secure platform, such as a secure backend to a web app. Never from the browser.
Because of this restriction, the permissions aren’t really finer grained. Since the platform is secure - YOU have control over the source and you can control what is done with access.
I do not completely agree with your statement that is does not require Auth0 to support fine grained access.
As for analogy in a SQL server, you are saying “no need of users on different databases”, just secure your root user.
I do not intend to use this application into a browser, it is for backed purposes. But I have different customers so different Auth0 connection databases and associated applications.
Each of my different customers may have need to perform update on their database connection and must not be able to perform action on database connection of the other customers.
Auth0 was already well designed to define which application can use which connection. But when it comes to the Management API, all is root:root