I have read the answer to How to assign custom scopes to users? - Auth0 Community and I I am wondering about some more details.
For the client which has users (e.g. Single page application):
Is it possible to assign scopes which are not defined within the scopes of the API? For example, our data model includes companies. A user only has permission to add documents to his own company only, each user belongs to one company only. So I would like to have scopes such as “company//document:create” “/company//document:delete”.
In the most extreme case, would it be possible to use the full URL as a scope?
For example, when a user wants to send a document from his own company to company ABC, then our single page application could request a scope:
“/company//partnerCompany//mail:create”.
I was thinking that this would make sense since then the resource server only needs to check if the JWT contains the request URL matches any of the scopes in the JWT. Thus no or very little authorization logic is needed in a resource server.
The general idea is to have the full authorization logic in one place (inside the Auth0 user rules). For this to be possible the script which is defined in a user rule should be quite unrestricted. For example, in complicated cases, it should be able to call an external authorization service or make decisions based on data in a custom database.
For the non-interactive client (e.g. customer’s technical system which is connecting to our API):
Is it possible to programmatically (dynamically) define scopes also for technical clients which do not have users? For example a client ABC has partnerships with companies BCD and EFG and many others. These partnerships are saved in our DB. Client ABC, using our technical API, is allowed to read documents of partner companies, thus, he should be able to request and receive scope “company//document:read”. It would be very impractical/impossible to define such scopes manually for the technical API which we create for a client. Maybe I am looking wrongly at this case and maybe we need to create a user for each company in role “technical system” and use rules for this user. Or maybe the companies themselves should be considered users. Is there a recommended approach to this?