node.jsauthenticationaccess-controlauth0

Auth0 access control


I am using Auth0 to manage a large set of users across several different applications with some being web based and others desktop and mobile. Under the meta data for each user I have an array of applications each user can access, I wondered how I might check this when authenticating so that access would be refused if not within that list.

I can do this very easily on the applications, however it would be great to do it on Auth0.


Solution

  • Using a Rule defined as follows has provided me with the functionality I was looking for:

    function (user, context, callback) {
        // ACL object
        var acl = {
            "someAppName": [ 'user1@mail.com', 'user2@mail.com' ],
            "otherApp": ['user2@mail.com']
        }
    
        // if App is not in the ACL, skip
        if(!acl.hasOwnProperty(context.clientName)){
            return callback(null, user, context);
        }
    
        // check if user has access to app
        var userHasAccess = acl[context.clientName].some(
            function (email) {
                return email === user.email;
            }
        );
    
        if (!userHasAccess) {
            return callback(new UnauthorizedError('Access denied.'));
        }
        callback(null, user, context);
    }