Tutorials

|

10

minutes read

Role-Based Access Control with Auth0

Xíu

September 19, 2022

feature image

A better way to debug your PHP code

A better way to debug your PHP code

Khoa Pham

November 16, 2022

Discover iOS Dark Mode Programming

Discover iOS Dark Mode Programming

thomas.le

November 1, 2022

Introduction

Role-Based Access Control (RBAC) is an authorization strategy to restrict access to protected resources. It simplifies permission assignment by categorizing users in roles. This is an important part of an overall cybersecurity strategy. However, many people making their first foray into RBAC often have a question: how can they deal with roles in their code?

In this article, we are going to introduce a good way to implement RBAC in your application using Auth0.

Get to know Role-Based Access Control

Consider an example as an NFT platform for customers (collectors) who can collect NFTs and creators who can create NFTs and NFT Collections. Different users accessing this platform have different permission to view and change collections of NFTs. For example:

  • Each customer (collectors) can view and purchase NFTs.
  • Creators can manage collections and NFTs (CRUD)

Role-Based Access Control would help with the permission assignment by introducing the concept of role. A role is a collection of permissions. So, we will discuss more RBAC and how it can be used to apply levels of permission control over corporate resources and sensitive information.

RBAC examples

Here is how you would use RBAC to control privileges in a system that supports collection management. Take a system that performs the following actions for example:

These actions represent the permissions available for the system users. Based on business requirements, we group these permissions in the following roles:

  • Collector (view collection, view NFT, buy NFT, etc.)
  • Creator (can view, create, edit and delete collection)

An RBAC system allows us to create those roles that have associated access permissions to corporate resources. Once configured, system managers can assign users to these roles with this associated set of permissions.

RBAC advantages

The most significant benefit of the RBAC strategy is the ability to group different permissions so that they can be assigned and revoked collectively. Also, by changing the set of permissions in a role, it allows us to change permissions to a group of users in one step. This decreases the effort related to handling permissions in your system.

For example, your business decides that it won't permit the creators to delete the collection. In this situation, a system manager would remove the delete:collection permission from the role Creator to prevent creators from deleting collections. The users as creators would still be able to view or create a new one, but wouldn't be able to delete it.

How to implement RBAC using Auth0

Auth0 is a flexible, drop-in solution to add authentication and authorization services to your applications. Using Auth0, the implementation of RBAC to manage role-based permissions is simplified. Let’s take a closer look.

For example, to secure your application API with RBAC and Auth0, users with a given role can access the API while others cannot, you will need to follow a simple recipe with only four steps:

1. You must register the API in your Auth0 dashboard

  • Open the APIs section of the Auth0 Dashboard.
  • Click on the Create API button and fill out the New API form, then Create
register your API in Auth0 dashboard

2. After completing registration, you will need to define the permissions that this API will use

Enable Role-Based Access Control (RBAC)

  • Click on the "Settings" tab and locate the "RBAC Settings" section.
  • Switch on the "Enable RBAC" and "Add Permissions in the Access Token" options
define permission for your API in Auth0

Create an API permission

  • Click on the "Permissions" tab and fill a field from the "Add a Permission (Scope)" section
adding permission for your API

3. With the permissions mapped, your next task is to create the roles that will organize these permissions

Create a role

  • Open the User Management > Roles section of the Auth0 Dashboard.
  • Click on the Create role button and fill out the "New Role" form, then “Create
creating new roles to organize your permission

Add permissions to the role

  • Click on the "Permissions" tab of the roles page.
  • Select all the permissions available for this role
adding permission to roles

4. You will need to assign users to these roles.

  • On the user's page, click on the "Roles" tab and then click on the "Assign Roles" button.
assigning users to roles

We would like to emphasize that one of the most significant benefits of the RBAC strategy is to allow the classifying of different permissions so that they can be assigned and revoked collectively.

Just like if you decide that the creator will not allow deleting the collection, you need to remove the delete:collection permission from the role Creator.

revoking roles to users

Checking Permissions in Your Backend API

At this point, you've configured your API and created users with their respective roles on Auth0. Whenever a user logs in to one of your client applications, the Auth0 authorization server issues a JSON Web Token (JWT) format access token that the client can use to make authenticated requests to an API server.

Because you enable Auth0 Role-Based Access Control (RBAC) for an API, the access token will include a permissions claim with all the permissions associated with any roles you have assigned to that user.

If you decode the access token, you should see a payload similar to the following:

To authorize the incoming HTTP requests, your backend API needs to ensure the access token has the necessary permissions. You can accomplish this task by defining one middleware to extract permission claims from access tokens and check these claims before accessing resources. This is a diagram for illustration:

To authorize the incoming HTTP requests, your backend API needs to ensure the access token has the necessary permissions. You can accomplish this task by defining one middleware to extract permission claims from access tokens and check these claims before accessing resources.

Conclusion

We hope that this article would give you a clearer look at Role-Based Access Control and how to implement it using Auth0. To dig deeper into Identity Access Management (IAM), check out this amazing article - Intro to IAM.

Until next time, happy coding, folks!