We have three front end applications and 3 APIs corresponding to the same. We need to provide the application access based on the permissions. For e.g. User1 should have access only to App1 & App2, User2 should have access only to App3, User3 should have access App1.
WIth the information you have provided, I suggest using an Auth0 DB connection (the same one) for all three apps/APIs, and using a user’s app_metadata to store which apps they have access to.
This is close to what you said above, except it does not require contacting an external service/database.
Thanks for your response. That’s clear that we don’t need to contact external database/service. As said in above example when the User1 is trying access App3 which he don’t have access, the Auth0 will still authenticate and allow the user to grant access to App3 and redirect to App3 landing page. It is App3’s(SPA) responsibility to check the user’s app_metadata and restrict the user?
I think I would do this with metadata (as I said earlier) and use a rule that fails the login when the app doesn’t match the metadata.
Basically something like:
if (context.clientId not in user.app_metadata.clients) cb("Unauthorized)…);