Hello,
I’m responsible to develop a central authentication and authorization service for multiple applications and APIs. However, it seems that those use cases for authorisation are rather complex when using Auth0.
The most complex case seems this: We want to allow users to organise themselves in teams and request API keys to access one of our APIs on behalf of that team. Users can belong to multiple teams and the teams will have different permissions and rate limits for different APIs.
After reading through Auth0 docs, this seems to be one way to solve that. But I’d like to have some input to open questions and whether this concept makes sense at all:
- User Tom registers on a MyAccount web application using Auth0.
- MyAccount requests an API key for the central authorisation API auth.myorg.com (hosted by us) using the Authorization Code Flow (with PCKE if MyAccount is a SPA)
- Tom sends a
create_team
request to auth.myorg.com to create the team some_team - The authorisation API uses Auth0’s Management API to
a) Create a new resource server (API) on Auth0 (for example using the identifier auth.myorg.com/teams/some_team)
b) Add the team and the users role to the usersapp_metadata
field (for example{ "teams": [ {"name": "some_team", role: "admin"} ]
} - Tom now switches to the team page on the MyAccount web app which then requests an access token for auth.myorg.com/teams/some_team (using the Authorization Code Flow again)
- An Auth0 rule now checks on that authorisation request that Tom belongs to
some_team
(otherwise returns unauthorised) and adds the roleadmin
to the token. - Tom now can access the teams page and is able to add/remove other users via auth.myorg.com endpoint (Question: How can auth.myorg.com query Auth0 for all users belonging to team
some_team
?) - We now want to allow
some_team
access to ourapi.myorg.com with custom rate limits, so
a) One of our admins sends aset_permissions
request to auth.myorg.com to allowsome_team
to access ourapi.myorg.com with a limit of 1000 requests per second.
b) The auth.myorg.com API either stores this internally in a database or uses the Management API to write this to Auth0 (Question: Where would we store such team based parameters in Auth0?)
c) auth.myorg.com also uses the Management API to create a new resource server (API) ourapi.myorg.com/teams/some_team - Tom now wants to create an API key to access ourapi.myorg.com on behalf of
some_team
, so:
a) The MyAccount applications requests arefresh_token
for ourapi.myorg.com/teams/some_team via auth.myorg.com using the Authorization Code Flow
b) An Auth0 rule now checks that Tom belongs tosome_team
(otherwise returns unauthorised) and adds the custom rate limit to the access token.
c) The refresh token is displayed to Tom, which he can now use to get short lived access tokens. He does this by proxying the request through auth.myorg.com which uses its client id and secret to be able to refresh access tokens.
d) Tom uses those access tokens to request data from ourapi.myorg.com, while ourapi is applying the teams rate limits.
This seems rather complicated though and I’m not sure if it’s not easier to just issue our own JWTs for API access and have API permissions stored in our own database (and use Auth0 only to handle access tokens for auth.myorg.com). But maybe I’m also getting this wrong and there is an easier way to solve this use case?