Trouble understanding scopes vs permissions

I’m having some trouble understanding this sample use case. In short it suggests to add permission in the access token. This way I can manage which, so-called modules in my application, the user can or can’t see.

When combining this sample use case with this Auth0 Express API Samples I run into a bit of a problem. The express API checks for permissions in the scope. Not in the access token permissions.

const checkScopes = jwtAuthz(['read:messages']);

Are permissions meant for the application called ‘Client’ in RFC specifications and not a custom API.
And scopes for asking the user for permission to access a custom API on behalf of the user?

If using scopes is the correct way of handling this. How would I know when a user authenticates if I need to attach Gift Shop Manager scopes or the Newsletter Admin scopes? I could ask for all scopes and let the RBAC policy on the custom API figure it out, but I think that isn’t the correct way of handling the issue.

Right now I’m using passport-auth0 this stores the user profile in the req.user object. Is there a recommended way to also store the scope or permissions inside this object.

Example of permissions in access token:

{
  "iss": "https://*****.eu.auth0.com/",
  "sub": "auth0|5d18d******9809",
  "aud": [
    "https://*******.com/api",
    "https://de*****nd0.eu.auth0.com/userinfo"
  ],
  "iat": 1562398738,
  "exp": 1562485138,
  "azp": "NgZ2T**********Z5xI7Npkj3larb2k0FPr",
  "scope": "openid profile email",
  "permissions": [
    "read:awesome",
    "read:messages",
    "write:messages"
  ]
}

Is there a need for more information regarding my question?

Hi @Luukth

Sorry for the delay in the response. Let me try to address some of your doubts

The express API checks for permissions in the scope. Not in the access token permissions.

You can specify the customScopeKey option to use the permissions claim instead of the scope.

The goal of having the permissions claim instead of the scope claim to perform authorization is for the cases you just need to know what permissions the user has in a given API and you don’t need to collect consent from the user (usually first party applications).

Is there a recommended way to also store the scope or permissions inside this object.

When defining the auth0 strategy using passport, you can specify a Verify Callback with signature accessToken, refreshToken, extraParams, profile, done) where you should be able to have the permissions and the user profile.

Regards,
Marcos

You could probably add some information about the customScopeKey in this quick start demo:
https://auth0.com/docs/quickstart/backend/nodejs.

You have to specify customScopeKey here @Marcos_Castany?

Thanks for the info!

Hi,

I am confused about this a bit too. Permissions is working fine except for my integration tests, my integration tests use a Client with Machine to Machine access to get an access token, i have granted all the required permissions via the scopes but they come back in the scope field rather than the permissions field.

The code in my application checks the permissions field so my integration tests all now fail, should by code union scope and permissions, or does that pose some other security issue.

Alternatively is there a better way to inegration test without having to supply a users username and password that will return permissions instead of scope.

Thanks, Ed

Thanks, Ed

Hey there Buddy,

Hope you’re doin great!

The way to add the customScopeKey is quite simple. The express-jwt-authz accepts the two arguments. The first argument would be the permissions and second argument would be options object. Something like this

const checkScope = jwtAuthz(["read:messages"], {"customScopeKey" : "permissions" })

For more info about the express-jwt-authz, you could go ahead and check out the npm package here

Thanks for sharing that @ashfaqnisar!

No Problemo!