Hi, I haven’t been busing auth0 for a few years. I’m a bit rusty with my understanding
I want to do the following (typical SaaS app scenario)
- Users can sign up for the product and are super admins in their org (can do everything)
- They can invite further users as either admins (less rights) or employees (even lesser rights)
- We want to have our own super admin access where we can monitor everything in the app, basically a dashboard like access to monitor stuff going on in the app
I’m wondering if auth0 is the right tool for this? I mean, if I use the auth0 login, where would we define the roles? Should we handle this on the backend? Or do we store the roles / scopes of which features a user can use in auth0?
If so, where? There seems to be scopes + metadata I’m a bit confused which ones are the right place for this.
Is it safe to assume that we store the roles in auth0, then via the JWT we can get the roles/scopes of the user to display the right stuff in the UI / protect routes based on their scope but as a 2nd security measure (someone could mess with the JWT?), we double-check roles on the backend? E. g. to prevent that an employee type of user can perform super admin type of actions.
I know those are a lot of questions I’m just not sure where to start
Also, role management seems to be in the paid plan only, so does that mean there’s no way to try things out on a free plan?