Hello,
Im trying to create a SPA frontend and a node backend, i want to protect backend based on user roles… meaning that if my users have the expected permissions, backend should allow. Right now i have issues with backend side…
Been reading many docs and im a bit confused on the libraries you provide
On some docs and videos you mention that i should use these libraries for doing token validation on backend GitHub - auth0/express-jwt-authz: Validate the JWT scope to authorize access to an endpoint with https://github.com/auth0/express-jwt:
- navigation to api, select my api then click on quickstart from auth0 portal
- video
Then checking this https://auth0.com/docs/quickstart/backend/nodejs#configure-the-middleware it mentions i should use express-oauth2-jwt-bearer
-
which one do you recommend i use? express-jwt + express-jwt-authz or just express-oauth2-jwt-bearer
-
looking up on both libraries, using express-jwt + express-jwt-authz seems i can check both “scope” and “permissions” fields from the token by using the customScopeKey, however i was not able to find the same behaviour for the express-oauth2-jwt-bearer meaning that i can only check the scope field from the token…
Doing some more digging i found that express-jwt + express-jwt-authz are being replaced with express-oauth2-jwt-bearer, is this correct? Document and clarify advantages of using this vs express-jwt and jwks-rsa · Issue #48 · auth0/node-oauth2-jwt-bearer · GitHub, if this is true then how can i read the permissions assigned to user if this library can only read from “scope” field, maybe im missing something here?
this is the current token i get:
{
"iss": "https://enviospet.us.auth0.com/",
"sub": "auth0|61e967d2ae29b30076476b08",
"aud": [
. . .
],
. . .
"scope": "openid profile email",
"permissions": [
"appointments:admin"
]
}
Sorry for the long post and thank you in advance!
Right now my working example is:
-
SPA running from example (auth0-react-samples/Sample-01 at master · auth0-samples/auth0-react-samples · GitHub).
-
Node+express backend registered on auth0 and running. (Im able to validate token using express-oauth2-jwt-bearer library)
-
User with role assigned and i can login with SPA.