Reputation: 4512
Auth0 Admin / User Scopes
I am currently working through the tutorial for Auth0, located here :
https://auth0.com/docs/quickstart/spa/react/04-authorization
and am struggling to understand the concept of scopes in the context of an admin user.
Specifically, the following text...
Since this scope indicates that the user has read-only access to data, it might be considered that the user has some kind of "regular user" access level.
If you wanted some users to have write access to the same resource, and therefore some kind of "administrator" access level, you might consider introducing a scope of write:messages.
By adding write:messages as a scope to the api in my control panel, it is requested and set for every user.
This does not feel right at all. So I have attempted to fix this via rules.
function (user, context, callback) {
if(user.app_metadata.roles.indexOf('admin') > -1) {
console.log(context);
context.accessToken.scope = 'write:messages';
}
callback(null, user, context);
}
Within my app_metadata object, I have given my admin user, the role of admin. This rule works and now on sign in, the scope shown in dev tools, is 'write:messages'.
However, now the initial scopes have been removed, for example 'openid read:messages' etc
Just where am I going wrong? I would like to assign add to the existing scopes if the user is an admin.
Is this even correct process for scopes / claims?
Upvotes: 0
Views: 3295
Answers (1)
Reputation: 2050
The best way to understand the concept of scopes and why they exist is to understand the fundamental idea of a JWT. Auth0 jwt is just a giant hash key that can turn into a JSON. I can really take any jwt, go to the debugger on their website and put it in there and see all that data set on that token. I can make edits to it and the hash value will change.
Scopes are the idea that you can have properties in that JSON and it can tell your React application where they can or can't go. The problem is that anyone can take their token and edit the scopes to get into certain parts of your application.
What makes them great though is that even if a person were to do that, They really couldn't do anything. The second they tried to change anything they would have to request your server. That is what the jwt secret is for. It would know that someone has tampered with the token that is sent in the HTTP request header and their request would be rejected.
What are scopes?
So what Auth0 does to try and simplify things a little is when you log in you request the scopes on that token you want to get back. A scope is just a property a JWT.
requestedScopes = 'openid profile read:messages write:messages';
auth0 = new auth0.WebAuth({
// ...
scope: this.requestedScopes
});
In this example, you are saying you want to get this information from the token. You want their profile information and you want these scopes from the user that logs in. After logging in you will get an object as a response. It is going to have a property called scopes. If the scopes property is empty, it means that the user that logged in has all those scopes assigned to them. If the user that logged in has more scopes than what you requested then the scopes property will have the extra tags assigned to them.
It is designed this way because a standard user will have all the basic permissions, but an admin will have other which are populated in the scopes property you get back.
Difference between scopes and app-metadata
App metadata is different in that it is part of the profile. Check out this token I created with scopes attached to it. You can see that it is different than the profile. App metadata can only be set on a token using the management API. That means only your server can change that information.
So scopes and app_metadata give you two ways of dealing with different permissions that people have on your site. You can also just state in the app metadata that this is an admin and let them do admin stuff on your client.
Scopes related to the Management API
Sometimes your server needs to use the management API so that means it needs a token also. That token can have scopes predefined by Auth0 to determine which endpoints you allow it to access. Check out the management API explorer and see how these scopes play a part.
The way Auth0 is using scopes for their api should give you a pretty good idea of what you can do with them.
Just remember:
- A jwt can be altered but the signature becomes invalid.
- There is no way to (completely) protect what a user does on your client.
- Scopes and app metadata help you protect what users can do on your server.
- Keep your secrets off your client
Upvotes: 6
Related Questions
- Auth0 - Insufficient scope
- Auth0 user permissions not being passed in token
- Auth0 ignores scope option
- When using auth0, I cannot gain access to the scope read:current_user
- Cannot read property 'WebAuth' of undefined (Auth0 Error)
- Problems accessing Auth0
- Auth0 is not a consutructor - AngularJS and auth0
- Auth0 - Callback URL never called
- Auth0 implementation - Getting Access Token
- Auth0 - auth.isAuthenticated not working