My setup consist of 3 components:
Auth0, where I add users and manage their permissions.
My front-end SPA web page, which serves as a shell for my API.
My API, made with ServiceStack.
Here's the authentication flow, as I imagine it:
The user clicks "log in with Auth0" in the client application.
The user is then redirected to Auth0, where he logs in and receives a JWT.
This JWT is stored on the client, and added to each request to my API.
My API (ServiceStack) verifies the JWT by checking that it matches the certificate given to me by Auth0.
My API (ServiceStack) checks if the user has the required permissions, as managed by Auth0 and included in the JWT.
Ideally this should be as simple as adding [Authorize] and [RequiredPermission] tags to the services to configure what permissions are required to access which services.
I have tried to achieve this in many different ways, but I'm starting to think my entire approach is flawed, so it's hard to add any code snippets to illustrate the problem. Am I misunderstanding something fundamentally, or is this something that should be possible to set up in ServiceStack? I'm able to get and verify the JWTs from Auth0 as being correct by using http://jwt.io/, the problem is just integrating this verification in ServiceStack.
Auto0 has published a number of docs and articles on integration with ServiceStack:
For JWT integration I've found a Custom OAuth0 Provider at:
Or see this answer on integrating with an Auth0 OAuth Provider