Restrict multiple apps, apis for users

sselva · October 7, 2020, 1:05am

We have three front end applications and 3 APIs corresponding to the same. We need to provide the application access based on the permissions. For e.g. User1 should have access only to App1 & App2, User2 should have access only to App3, User3 should have access App1.

Based on the documentation and in the forums ( https://community.auth0.com/t/associating-users-to-multiple-applications/19644) I came to know that this is not natively available using Auth0. It can be achieved using Auth0 rules/extensions by contacting any external service/database.

I just want to know if this is still true or some other better way is introduced.

Thanks in advance.

john.gateley · October 7, 2020, 1:40pm

Hi @sselva

WIth the information you have provided, I suggest using an Auth0 DB connection (the same one) for all three apps/APIs, and using a user’s app_metadata to store which apps they have access to.

This is close to what you said above, except it does not require contacting an external service/database.

John

sselva · October 7, 2020, 4:57pm

Thanks for your response. That’s clear that we don’t need to contact external database/service. As said in above example when the User1 is trying access App3 which he don’t have access, the Auth0 will still authenticate and allow the user to grant access to App3 and redirect to App3 landing page. It is App3’s(SPA) responsibility to check the user’s app_metadata and restrict the user?

Is the above understanding is right?

Please let us know.

john.gateley · October 8, 2020, 1:03pm

Hi @sselva

I think I would do this with metadata (as I said earlier) and use a rule that fails the login when the app doesn’t match the metadata.
Basically something like:

if (context.clientId not in user.app_metadata.clients) cb("Unauthorized)…);

That is not correct javascript, just psuedocode

John