Which backend library to use and should i use "permissions" or. "scope" field role/permission validation on our backend?

gustavoca · January 24, 2022, 4:44pm

Hello,

Im trying to create a SPA frontend and a node backend, i want to protect backend based on user roles… meaning that if my users have the expected permissions, backend should allow. Right now i have issues with backend side…

Been reading many docs and im a bit confused on the libraries you provide

On some docs and videos you mention that i should use these libraries for doing token validation on backend GitHub - auth0/express-jwt-authz: Validate the JWT scope to authorize access to an endpoint with https://github.com/auth0/express-jwt:

navigation to api, select my api then click on quickstart from auth0 portal
video

Then checking this https://auth0.com/docs/quickstart/backend/nodejs#configure-the-middleware it mentions i should use express-oauth2-jwt-bearer

which one do you recommend i use? express-jwt + express-jwt-authz or just express-oauth2-jwt-bearer
looking up on both libraries, using express-jwt + express-jwt-authz seems i can check both “scope” and “permissions” fields from the token by using the customScopeKey, however i was not able to find the same behaviour for the express-oauth2-jwt-bearer meaning that i can only check the scope field from the token…

Doing some more digging i found that express-jwt + express-jwt-authz are being replaced with express-oauth2-jwt-bearer, is this correct? Document and clarify advantages of using this vs express-jwt and jwks-rsa · Issue #48 · auth0/node-oauth2-jwt-bearer · GitHub, if this is true then how can i read the permissions assigned to user if this library can only read from “scope” field, maybe im missing something here?

this is the current token i get:

{
  "iss": "https://enviospet.us.auth0.com/",
  "sub": "auth0|61e967d2ae29b30076476b08",
  "aud": [
      . . .
  ],
  . . .
  "scope": "openid profile email",
  "permissions": [
    "appointments:admin"
  ]
}

Sorry for the long post and thank you in advance!

Right now my working example is:

SPA running from example (auth0-react-samples/Sample-01 at master · auth0-samples/auth0-react-samples · GitHub).
Node+express backend registered on auth0 and running. (Im able to validate token using express-oauth2-jwt-bearer library)
User with role assigned and i can login with SPA.