Role based access control in applications

Hi there,

I am looking to implement role based authorizations for users but without using API’s. I am using applications and wanted to know how to implement this.


Ooph, that’s a tough one. We tried working with Auth0 on this but in the end migrating to Stytch seemed to solve the problem :+1:

1 Like

Hey there @manoj.damani welcome to the community!

Can you help us understand your use case a little better? I’m not entirely sure what you mean by without APIs - You can assign roles to user’s directly in your Auth0 dashboard, include those in user access and/or ID tokens and make decisions in your app based on those.

If this is not what you are referring to, do let us know - The more detailed information you can provide the better!

Hi @tyf

Thanks for the welcome :slight_smile:

So the idea is when a user logs in, I should be able to pull a role designated to him. I have created a sample user and can only assign roles in API. As of now, if I login to an application instead of an API, I cannot get the user roles. RBAC can only be activated within API’s.

I am working towards storing the user roles in the app_metadata and trying to retrieve it when the user logs in. This is complicated because you have to get an access token form the management API and then try to retrieve the user information. I am not still sure whether you login to the Auth0 Account Management API Management Client application or the API.

This is my problem in a nutshell, how to enable roles for the users.

1 Like

Using app_metadata is a great way to store roles - You can also assign them directly to users and not assign API permissions to roles, but just infer them. Rather than using the Management API, you can set app_metadata as a custom claim in user’s tokens directly. At that point when an access token is passed to your backend (or even using the ID token on front end) you can make decisions you need to based on roles assigned in app_metadata. A post-login action might look like:

exports.onExecutePostLogin = async (event, api) => {
  // Define the namespace for your custom claims
  const namespace = 'https://your-app-namespace/';

  // Retrieve app_metadata
  const appMetadata = event.user.app_metadata || {};

  // Add a custom claim from app_metadata
  // Example: Add a custom claim for a role stored in app_metadata
  const role = appMetadata.role || 'guest';

  // Add the custom claim to the ID token
  api.idToken.setCustomClaim(`${namespace}role`, role);

  // Add the custom claim to the access token
  api.accessToken.setCustomClaim(`${namespace}role`, role);