Auth0 Home Blog Docs

Set scope based on user metadata



I’m fairly new to Auth0. I have a working Spring Boot application with security backed-up by Auth0 (implementation made with a guide). I’m able to register users, login and restrict their access with hasAuthority.

I want to add roles to my system. My idea was to write the ROLE into the user metadata and have the token’s scope change whenever i login based on the user metadata information (i.e. role) - so when a user with ADMIN metadata logs in his scope will be different from when a regular user logs in. In turn - specific endpoints of my application will have ‘hasAuthority’ that fits an admin and will not allow access to any other token.

I’m struggling to find code snippets or working examples and i’m not quite sure my idea is the right way to implement this in the system.


At this time you can use rules to implement custom authorization policies where a specific logic check will influence the scopes issued in the access token. For an example of this see this section of the reference documentation.

In your particular case, the check would be based on the role contained in user profile metadata. An important thing to note is that you should store this information as part of app_metadata; DO NOT store it as part of user_metadata. The reason is the user_metadata can be modified directly by end-users so a malicious user could control their own role information and elevate its permission.