How to handle Auth0 RBAC (Roles Based Access Control) using remix-auth-auth0?

[mattmazzola]

I have Auth0 Application with 2 roles and various users assigned to these roles
For example, User 1 (U1) is assigned Role 1 (R1), and User 2 (U2) is assigned Role 2 (R2)

When I login as a user I expect to have access to their roles so I can control certain rendering. For example, administrators should see extra content and features that other users can't see.

This information is supposedly encoded into the access token scopes, but the library doesn't give us access to the token.
I am using full redirect with cookies and only see a user or profile object.

If I use the Auth0 managementClient I can query a users roles; however, given the power of feature I thought it is likely supported and I just do not know how to use it.

Can someone give me example or suggestion?

[danestves]

Hey @mattmazzola we indeed give you the accessToken on the callback when a user login/register in your app

You can save that accessToken anywhere you want to be able to read it 👀

[mattmazzola]

Oh, right! I had followed tutorial so setup the package for remix using default strategy which only used the profile and had forgot that it could also expose the token.

It seems both the claims in this statement were wrong

...but the library doesn't give us access to the token.

Ok, as shown above the library DOES give access to the token.

This information is supposedly encoded into the access token scopes,

This does also not seem true.

This is the information I see returned

{
  profile: {
    provider: 'auth0',
    _json: {
      sub: 'email|63ba5b6254f56065ec6367c6',
      nickname: 'matt',
      name: 'matt@<removed>.com',
      picture: 'https://s.gr<removed>a.png',
      updated_at: '2023-05-14T17:26:33.804Z',
      email: 'matt@<removed>.com',
      email_verified: true
    },
    id: 'email|63ba5b6254f56065ec6367c6',
    displayName: 'matt@<removed>.com',
    emails: [ ],
    photos: [ ]
  },
  accessToken: 'eyJ<removed>qA',
  extraParams: {
    id_token: 'eyJh<removed>3A',
    scope: 'openid profile email',
    expires_in: 86400,
    token_type: 'Bearer'
  },
  context: undefined
}

Notice the scopes: openid profile email
I think these are standard OpenID Connect scopes.
They do not include the custom scopes I expected from roles / permissions defined such as admin, write:approver or read:all

So even though I can get the token I still do not have the data I desired.

Perhaps this isn't a limitation of the library but a limitation of Auth0.
(I find it hard to believe that Auth0 doesn't support this given all the documentation on RBAC. I suspect I am not using it correctly 😔 Docs mentioning custom scopes)

I guess this could be resolved. Although if anyone has solved this before I would still appreciate tips!

[sergiodxa]

You can pass a custom scope when creating an instance of the strategy.

authenticator.use(
  new Auth0Strategy(
    {
      callbackURL: "https://example.com/auth/auth0/callback",
      clientID: "YOUR_AUTH0_CLIENT_ID",
      clientSecret: "YOUR_AUTH0_CLIENT_SECRET",
      domain: "YOUR_TENANT.us.auth0.com",
      scope: "custom scope", // here
    },
    async ({ accessToken, refreshToken, extraParams, profile }) => {
      // Get the user data from your DB or API using the tokens and profile
      return User.findOrCreate({ email: profile.emails[0].value });
    }
  )
);