I am developing an application which has the concept of users and user permissions, but for which I do not wish to implement authentication. Instead, authentication should be delegated to an external service. This service will provider password reset, 2FA, delegating login to Social logins, creating and removing users etc.
This application in reality consists of a Website, a mobile app, and an API which is accessed by the website backend, as well as the mobile app directly.
- Concerning role/permission management I seem to have two options:
a) user roles/permissions are not configured in auth0. When passing the access token to the API the API will verify the validity of the access token with auth0, and receive from auth0 some information about the user for whom this access token was issued. The API will then check its database for roles/permission configured for this user.
REASON: I won’t be bound to whatever role/permission system auth0 implements and could swap auth0 with any other oidc provider.
b) user roles/permissions are configured within auth0. When passing the access token to the API the api will verify the validity of the access token with auth0 and receive from auth0 some role/permission information associated with this token.
REASON: Everything related to users resides in auth0
Are both of these options 100% possible within the oauth/oidc standard? Is the method of validating an access token with the authorization server standardized or proprietary? Is one options more “oauth-like” than the other?
- In my situation the oauth “client” (mobile app or website backend) and “resource server” (the API) are owned by a single organization. Therefore there is no need to limit the scopes the client should have access to. What scopes should then be requested when logging in to auth0?