I’m having some trouble understanding this sample use case. In short it suggests to add permission in the access token. This way I can manage which, so-called modules in my application, the user can or can’t see.
When combining this sample use case with this Auth0 Express API Samples I run into a bit of a problem. The express API checks for permissions in the scope. Not in the access token permissions.
const checkScopes = jwtAuthz(['read:messages']);
Are permissions meant for the application called ‘Client’ in RFC specifications and not a custom API.
And scopes for asking the user for permission to access a custom API on behalf of the user?
If using scopes is the correct way of handling this. How would I know when a user authenticates if I need to attach Gift Shop Manager
scopes or the Newsletter Admin
scopes? I could ask for all scopes and let the RBAC policy on the custom API figure it out, but I think that isn’t the correct way of handling the issue.
Right now I’m using passport-auth0 this stores the user profile in the req.user object. Is there a recommended way to also store the scope or permissions inside this object.
Example of permissions in access token:
{
"iss": "https://*****.eu.auth0.com/",
"sub": "auth0|5d18d******9809",
"aud": [
"https://*******.com/api",
"https://de*****nd0.eu.auth0.com/userinfo"
],
"iat": 1562398738,
"exp": 1562485138,
"azp": "NgZ2T**********Z5xI7Npkj3larb2k0FPr",
"scope": "openid profile email",
"permissions": [
"read:awesome",
"read:messages",
"write:messages"
]
}