jtc42
commented
3 years ago Please disregard. I was missing that my client application needs to explicitly request scopes for them to show up as scopes and not just permissions in the auth token. Thanks!
Closed jtc42 closed 3 years ago
jtc42
commented
3 years ago Please disregard. I was missing that my client application needs to explicitly request scopes for them to show up as scopes and not just permissions in the auth token. Thanks!
dorinclisu
commented
3 years ago Yes, as long as RBAC is enabled in auth0 for the API, permissions always show up in the token. But it's up to you to check them "manually" i.e. if user.permissions and "read:resource" in user.permissions: and take the decision of either limiting the response data or simply rejecting the request with 403.
If you want to reject the request "automatically" with 403 by using Security(get_user, scopes=["read:resource"]), then the frontend application must also ask for the respective scopes when obtaining the token, otherwise they won't be included in the token even if the user has the permissions.
jtc42
commented
3 years ago Yes, as long as RBAC is enabled in auth0 for the API, permissions always show up in the token. But it's up to you to check them "manually" i.e.
if user.permissions and "read:resource" in user.permissions:and take the decision of either limiting the response data or simply rejecting the request with 403.If you want to reject the request "automatically" with 403 by using
Security(get_user, scopes=["read:resource"]), then the frontend application must also ask for the respective scopes when obtaining the token, otherwise they won't be included in the token even if the user has the permissions.
Thanks for confirming!
I'm just wondering if there's a nice way to required specific auth0
permissions in theSecurity(get_user)dependency, similar to how you can require scopes. We have an application which uses permissions heavily and I'm wondering if I've missed something here.Thanks!