0

I have created an account with Auth0 and I am trying to get a simple login for Angular 2 to our backend API.

1. What I am trying to do is to be able to access the roles in the API to see whether the user has the correct permissions.

I have enabled the Auth0 Authorization extension I have gone in and created one group and one role, I have assigned these to a test user which I have created, I have then gone to the configuration and published the rules for token contents and persistence.

How can I view the permissions/groups from the JWT in an nodejs app? I am using express-jwt and this:

const authenticate = jwt({
  secret: config.get('AUTH0_CLIENT_SECRET'),
  audience: config.get('AUTH0_CLIENT_ID'),
  credentialsRequired: false,
});

Which is giving me details such as iss, sub, aud. But no details on the user metadata, how am I able to retrieve this? Also as I have clearly not used Auth0 before, is it best practice to store the user details on our own databases also so I can use my own ID to store against the user actions, or is it possible to use an ID if Auth0 give one to store against user actions in our database.

EDIT 1

Ok I can see there is an options parameter for the Lock which you can pass scopes in, is it bad practice to request these when logging in? There will only really be a handful of groups/roles for now. Or is better that the API can lookup the user using the token provided to get the app_metadata to view the permissions etc, if so how can I look this up?

2. How am I able to manage the users and view them so I can display them in our own admin panel and manage the permissions they have.

Community
  • 1
  • 1
mchaffe
  • 597
  • 1
  • 4
  • 14

1 Answers1

0

For the case where the groups and roles information are available within the token itself (as groups and roles claims) and given that you're using express-jwt then you can access this information on the server-side by accessing:

req.user.groups
req.user.roles

In essence, express-jwt will make the claims contained within the token available in the req.user object.

In relation to the ID you use to identify the user you can use the value contained within the sub claim of the user token. This value is guaranteed to be unique and stable so a recurring user that uses authenticates in exactly the same way will always have the same value within the sub claim.

You already discovered that one way to include the groups and roles information is to request it through the scope parameter. It's not a bad practice to request this information to be included in the token, however, you need to take in consideration that tokens delivered through the implicit grant which is used by SPA are included as a part of the callback URL and as such their maximum size is constrained by the limits imposed on URL's.

In regards to your second question, you could implement your own management backend by integrating both the Auth0 Authorization extension API and also the Auth0 Management API; see the following links for more info:

João Angelo
  • 56,552
  • 12
  • 145
  • 147
  • With regards to the first part, you say I need to take into consideration that implicit grant used by SPA. I am new to this auth0/oauth way of user authentication would you mind explaining that a little more? Is there an alternative way, currently the Angular2 app uses the auth0 Lock and then uses the JWT to send requests to the API, should I be logging in through the API and the API sending the request to auth0? Also is it good practise to use the auth0 iss to store in our database or is it best to duplicate the user on our end to match up the user? Thanks – mchaffe Jan 11 '17 at 12:01
  • With implicit grant the token is returned as part of the redirect URL, something like `https://[yourdomain]/callback#[token_param_name]=[token_value]`. In the the previous example the length of the URL will vary mostly based on the contents of `[token_value]` so if you request that a lot of information be contained within the token you need to consider if it can cause problems with URL size. You can store the Auth0 user identifier `sub` claim in your database, because that uniquely identifies the user. – João Angelo Jan 11 '17 at 12:12
  • Thanks. I'm running an Angular 2 Auth0 demo and I can't see where or how the callback is set up. Is there an alternative to the implicit grant or is that the simplest solution. Do you know what the limits of the contents would be that could make the URL to large? Thanks – mchaffe Jan 12 '17 at 23:34
  • If you're using Auth0.js or Lock they will set the callback for you if you don't do it explicitly. Check this [SO question](http://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-a-url-in-different-browsers) for info about URL limits. – João Angelo Jan 13 '17 at 10:24