I'm going through the following documentation to setup Auth0. The documentation is fairly straightforward. However, I'm a little skeptical of the fact that it doesn't mention what permissions, if any, are needed when setting the API in the Auth0. It also doesn't explicitly say that no configuration is needed either.
On a side, what's the general policy about setting up an Identifier? Auth0 says they will not call the endpoint, but I'm guessing I will have to at some point to use the API? What's been your approach when providing an Identifier for your API in Auth0?
I'll start with the last part of your question first.
App Identifier: Or "audience". It does seem strange at first, but it really can be whatever you set. A URL is recommended both by Auth0 and also in the RFC for JWT (see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3). This value is really for matching - or verifying - purposes. Where does the verifying get matched?
Auth0 is encoding it in the JWT that it provides to web app -> that gets added to the Auth token which is passed to the backend -> the backend checks if the "aud" in the Bearer / Auth token matches the constant "aud" you have set (i.e. const authConfig).
Also, as stated in this Auth0 article (in this case about Angular, but it applies across board):
Auth0 uses the value of the audience property to determine which resource server (API) the user is authorizing your Angular application to access.
So it really does matching based on the "aud". It does not get called with a GET or POST.
Your app uses "aud" to tell Auth0 which API it must use.
Auth0 includes "aud" in the JWT it sends to the app.
Your backend verifies the "aud" to ensure that indeed it is receiving a token meant for it.
Permissions: Or scopes. If you are using an Auth0 SDK (which I am sure you are), then there is a good chance that the OIDC scopes are being requested for you automatically. See this article:
When you don't pass a scope property to tokenOptions, the Angular SDK defaults to the OpenID Connect Scopes: openid profile email.
So if you are just interested in basic user info, Auth0 has you sorted.
However, going further, the permissions specified under your API are custom claims. In short, Auth0 will include these permissions in the JWT token sent to the authenticated frontend. When the frontend passes the JWT Auth token to your backend, your backend will check to see which custom scopes are present. If the required scope is present - your backend will execute the required protected end point.
Captured nicely in this Auth0 article is the fact that Permissions really work well with Role Based Access Control (RBAC): Create API permissions and bundle them to Roles > Create Rules so that Roles are added when users log in > Specify which Users get which Roles.