Currently I’m working on an .NET Core application (with SQL Server database) that serves as a management tool to connect users to sets of permissions.
The idea is that if a user tries to access one of our API’s (exposed to the Internet), his access token (which he got during authenticating at Auth) is checked, we extract his username from his claims and use that to fetch his permissions from our database. (The user’s email address defined in our Auth0 Tenant need to be defined in our database as well of course.) These permissions can then be used to determine if he is allowed access to specific endpoints.
- We don’t use Auth0 scopes. We use Auth0 for authentication only.
- Ideally you want to fetch the list of permissions directly after authentication and let called API’s just check the user’s access token instead of needing to call the “Authorization API”.
The questions that keep popping up in my head:
1 Is this management tool something we should maybe not build ourselves but rather use an off-the-shelf solution? What applications come to mind then?
2 Would using Auth0 Webhooks be a good way to call our Authorization API directly after Auth0’s authentication took place, so the user’s permissions can be fetched and added to the list of claims in the token.
3 Would it be possible to modify a JWT when the user accesses on of our API’s and augment it with the permissions coming from the DB? (in order to prevent having to refetch them on subsequent requests)
I’d like to hear your thoughts.