I have an existing React application powered by a Node.js API server. I want to migrate to use Auth0 for authentication and authorization (access control) but I’m running into issue getting both authentication and authorization working.
I’ve created an Auth0 API in the console and set up the proper middleware in my api server. I followed the directions in the Test tab in the application to generate the Machine to Machine token and authentication is working fine. I also downloaded the Auth0 React sample application and created an Auth0 Application and I am able to authenticate in the sample React application and make the API calls to the authenticated endpoints on the server without issue.
Where I’m struggling is with the authorization. The whole point of integrating Auth0 is for me to be able to implement access control across every endpoint. I want to define read and write permissions to apply to every endpoint that requires authentication. So I’ve created a couple initial permissions under the Auth0 API and set up endpoints to require these permissions. But I can’t figure out how to log in as a user that has those permissions. The token created from the API -> Test tab is based on the Machine to Machine application so there are no permissions associated with that token and therefore can’t access the scoped APIs. I created an Auth0 role and assigned the permissions from the API and then I created an Auth0 user and made sure that user was assigned the new role. When I log into that user in the React sample application and make the API call it fails because the JWT token doesn’t include the permissions for the API.
It seems like I don’t completely understand how roles and permissions are applied to a token but these are the two questions that stand out:
Why doesn’t the user have the proper permissions when I log into the React app even though I’ve added those permissions to the role that the user is assigned to?
How can I generate a token for an existing user to be able to make API calls as that user to test access control (via Postman)? A machine to machine token is pointless because it has no permissions.