3

I am trying to get an AWS HTTP API JWT Authorizer with scopes on an endpoint to work happily with my Auth0 access tokens.

The JWT Authorizer looks for the necessary scopes in the access token's "scope". I am thinking that this is used for fine-grained authorization. But, Auth0 returns permissions in a "permissions" array rather than in the token's "scope".

Is there a way to get my permissions to show up in the "scope" of the access token so that I can use the JWT Authorizer to handle fine-grained permissions? Or will I need to have my lambda function dissect the authenticated JWT after its gone past the JWT Authorizer?

groffcole
  • 871
  • 1
  • 7
  • 18

2 Answers2

0

There is a way to add your user permissions into the scope claim of your token. This thread details two ways to achieve this, thread:

  1. Adding a rule that reads these permissions and copies them into your access_token scope claims.
function (user, context, callback) {

  var ManagementClient = require('auth0@2.17.0').ManagementClient;
  var management = new ManagementClient({
    token: auth0.accessToken,
    domain: auth0.domain
  });

  var params = { id: user.user_id};

  management.getUserPermissions(params, function (err, permissions) {
    
    var permissionNames = [];
    permissions.forEach(function(obj) { permissionNames.push(obj.permission_name); });
    
    if (err) {
      // Handle error.
    }
    context.accessToken.scope = permissionNames;    
    callback(null, user, context);
  });
  
}
  1. Using the RBAC feature with TOKEN_DIALECT. Note that information around this is extremely scarce, this post linked below it the only piece of information I have found about it. Also I could not get this to work consistently so personally I use the method #1 listed here. TOKEN_DIALECT

In an ideal world option #2 is really the best and has the least configuration, but I have had issues with this.

Spencer Duball
  • 531
  • 2
  • 6
  • 18
-1

Is there a way to get my permissions to show up in the "scope" of the access token so that I can use the JWT Authorizer to handle fine-grained permissions?

This is a bad idea. A JWT token is small (<8 kb according to this answer). What will happen when you have a million resources? Will your "array of permissions" have a million items, too?

https://auth0.com/blog/on-the-nature-of-oauth2-scopes/

scopes are used to express what an application can do on behalf of a given user. (...) scopes are used for handling delegation scenarios (...) overloading scopes to represent actual privileges assigned to the app (as opposed to the delegated permissions mentioned above) is problematic

I work for Auth0 and we're building a solution to handle fine-grained authorization. See https://zanzibar.academy/

Maria Ines Parnisari
  • 16,584
  • 9
  • 85
  • 130
  • This does not answer the OP's question. Additionally, Auth0 has a toggle switch on their interface to copy all permissions to the access token (in the "permissions" attribute, not "scope" string attribute) which suggests having the permissions in a token was a requested feature. One big issue is that AWS HTTP API does not provide a way to interpret a token, for many including me I would just like an auth service that can just put my scopes into a scope string. Lastly, can you name one service with a million different claim options? This is super uncommon for the vast majority of Auth0 users. – Spencer Duball Jul 02 '22 at 16:52