There are three kinds of users in my Auth0 tenant:
I created an API in Auth0 and attached to the endpoints via JWT authoriser in the new AWS API Gateway HTTP API.
There is business logic that some endpoints allows only allows regular user and admin, and some allow Mod and Admin. E.g.:
Currently, the authoriser allows any user in the user's database in Auth0, and I check the user's identity within the application via several Auth0's management API:
/userInfo to make sure the token matches with the :user_id./oauth/token to get Auth0 management API access token./api/v2/users/:user_id to get the user profile./api/v2/users/:user_id/roles to get the role.I believe there should have a better way to handle the identity check. Is it possible to create multiple authoriser with a different role/permission scope (e.g. allow regular user and admin) and attach to the related endpoint accordingly?
I realised there is a claims object in event.requestContext.authorizer.claims from Lambda according to the AWS API Gateway Doc.
/userInfo call is unnecessary.user.app_metadata and the claims object.Code sample for #2:
function assignRoleToAppMetadata (user, context, callback) {
const ManagementClient = require('[email protected]').ManagementClient
const management = new ManagementClient({
domain: '{YOUR_ACCOUNT}.auth0.com',
clientId: '{YOUR_NON_INTERACTIVE_CLIENT_ID}',
clientSecret: '{YOUR_NON_INTERACTIVE_CLIENT_SECRET}'
})
const params = { id: user.user_id }
management.getUserRoles(params)
.then(roles => {
user.app_metadata = user.app_metadata || {}
user.app_metadata.roles = roles
return auth0.users.updateAppMetadata(user.user_id, user.app_metadata)
})
.then(() => callback(null, user, context))
.catch(err => {
console.error(err.message)
callback(null, user, context)
})
}
In addition, the following rule attached the role info to /userInfo:
function(user, context, callback) {
const namespace = 'https://{YOUR_ACCOUNT}.auth0.com/'
context.idToken[namespace + 'roles'] = user.app_metadata.roles
callback(null, user, context)
}