General question about authorization support. Is it possible to use roles and permissions without having any custom APIs? Currently what I see is roles are allowed to be created and associated to a user, but for permissions you must have APIs. Can we create generic permissions for roles to be used with our application without defining our APIs in Auth0? So our goal is to just use roles/permissions store from Auth0 and actual authorization will be done in our app. If anyone know this is possible…
Hello @kunalbhai.shah,
Welcome to the Community! Auth0 provides a lot of flexibility on this front. You could use the built-in Roles feature and just send that data to your own apps / APIs in the user’s tokens, or build something of your own by storing role related data in the user’s app_metadata and again, put that data into the user’s tokens for consumption by your apps & APIs.
1 Like
Thanks @markd … we were able to do that and update identity token to include user roles… but not able to add permissions… so was just wondering if this is possible…
Hi @markd, may be related question… Just found out that roles we add via Users-> Roles tab is part of Authorization Core while what shows up in app_metadata is part of Auth Extensions and they are different… We saw this as our roles are not matching between what’s in app_metadata vs what’s in Roles tab. So question is how we can get to our roles in Authorization Core so that we can add them to our token?
Previous message deleted due to SPAM reasons.
Just my opinion here but I would disable the authz extension altogether, and remove the app_metadata.authorization object from all your users to avoid confusion.
I’m not using authz core yet but you should be able to call the API from a Rule (or an Action) to get a users roles and scopes. In fact, it looks like the authz core data should be available in the context. Have a look at:
and:
2 Likes
Thanks for sharing that Mark!
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.