User role in the database instead of scopes

rian21 · April 23, 2018, 10:47am

Hello there!
I’m a new user of Auth0 and I’m struggeling with understanding the scopes.

I would expect the user role to be defined in the database (I use MongoDB) with all the other paramaters which are created by the Auth0 after sign up. Then the Auth0 on my node server would check the role and decided wheter or not to allow the user to access such route.

I do not understand why should I allow the users to have the scope stored in the localStorage, because it seems to be redundant (it still needs to be checked on the back-end) and unsecure. I am sure there is a reason for it but I can’t see it yet.

Can anyone tell me whether it is possible to alter the Auth0 behaviour to the example flow I have written above and also explain the reason for the scopes?

Thank you a lot!

Alain · April 23, 2018, 12:02pm

Maybe you can have a look at Rules. If my understanding is correct, all rules are executed in the order you define after a successful authentication.

When creating a rules, you will find a template Add user roles from a SQL Server database which can roughly be summarize into:

Connect to database and fetch the roles based on user profile. It could be based on email, user_id or whatever
If there are roles, you can enrich the scopes (make sure you get the already granted scopes!)
You can also add roles under a custom namespaces like _http://example.com/roles_ and add it to the access token.

When the client will receive the access token, it will send to the proper API to request data: “Hey I want that, that and that, here is my authorization (access token)”. Then the server needs to decode the access token and check the custom claim _http://example.com/roles_.

rian21 · April 23, 2018, 12:37pm

Thank you for the comment Alain. I’m still confused. You said “make sure you get the already granted scopes!” however I don’t want my fron-tend to send me any scopes I want every signed user to get the regular-user role and when the user tries to access the mypage.com/page-only-for-signed-users he will be matched with the database and then he’ll be able to access the path. No user posted scopes. Just the most basic behaviour ever. All the users have the same rights (or scopes as you call it) so I don’t really need to have them to distinguish different user rights.

Alain · April 24, 2018, 2:13am

I’m leaving the further detail to Auth0 expert as I consider myself as a beginner++ but I think you misunderstand the concept of scope: when authenticating, you must at least require the openid scope or the profile scope if you wish to fetch user information.

If you prefer, as said in my third point, you can handle custom roles and completely ignore the scope. As you define, in a rule, the role structure, you have full control over it and it is 100% custom. In my case, I use both:

Custom scope to know which user has access to which page (e.g. an accountant must access to accounting pages)
Custom role to know which user has access to which content (e.g. an US accountant is only allow to display US accounts)

Hope it helps

konrad.sopala · August 16, 2019, 9:33am

Thanks a lot for sharing it with the rest of community!