Using actions to validate user ownership

In my application, when a user logs in, I need to hop to the database and get the list of things they can see in the application.
It’s a very heavy and unnecessary check. I am wondering if I can move this check into auth0, using actions?
Do i just create a bunch of actions that say “user 5 has write access to object 1 and 2, but read access to object 3, and no access to all other objects”

Does it come down in the token ? How do i check this ?

Hi @truescope

This feature will help: Fine Grained Authorization (FGA) at scale for developers - Auth0

John

1 Like

Hey John. I had a look into FGA, but it looks like it’s still in dev preview (and says there isn’t 100% uptime guaranteed/not recommended for use in production).

I am looking to upgrade our existing production application by replacing the user ownership structure.
Should I just use actions/scopes/rules instead ?

Hi @truescope

If you truly need fine grained auth (where you need to control which objects of a class a user has access to), then rules/actions are not the way to go. The problem is that the permission speficiation becomes too long to pass in an access token. Access tokens are limited length (depends on the browser) and if you have permissions generating an access token longer than 4K chars or so, it will break.

If you can limit the length of the permission string you are passing back in the access token, then you can use rules/actions.

John