Auth0-规则和组&&用户管理
[英]Auth0 - Rules & Groups && User Management
问题描述
I have created an account with Auth0 and I am trying to get a simple login for Angular 2 to our backend API. 
我已经使用Auth0创建了一个帐户,并且试图将Angular 2的简单登录信息登录到我们的后端API。
1. What I am trying to do is to be able to access the roles in the API to see whether the user has the correct permissions. 1.我想做的是能够访问API中的角色,以查看用户是否具有正确的权限。
I have enabled the Auth0 Authorization extension I have gone in and created one group and one role, I have assigned these to a test user which I have created, I have then gone to the configuration and published the rules for token contents and persistence. 我启用了Auth0授权扩展,并创建了一个组和一个角色,将它们分配给我创建的测试用户,然后转到配置并发布了令牌内容和持久性的规则。
How can I view the permissions/groups from the JWT in an nodejs app? 如何在nodejs应用程序中从JWT查看权限/组? I am using express-jwt and this: 我正在使用express-jwt ,这:
const authenticate = jwt({
secret: config.get('AUTH0_CLIENT_SECRET'),
audience: config.get('AUTH0_CLIENT_ID'),
credentialsRequired: false,
});
Which is giving me details such as iss, sub, aud. 这给了我详细信息,例如iss,sub,aud。 But no details on the user metadata, how am I able to retrieve this? 但是没有有关用户元数据的详细信息,我该如何检索呢? Also as I have clearly not used Auth0 before, is it best practice to store the user details on our own databases also so I can use my own ID to store against the user actions, or is it possible to use an ID if Auth0 give one to store against user actions in our database. 另外,由于我之前显然没有使用过Auth0,所以最好的做法是将用户详细信息也存储在我们自己的数据库中,以便我可以使用自己的ID来存储用户操作,或者如果Auth0给出一个,则可以使用ID以针对用户操作存储在我们的数据库中。
EDIT 1 编辑1
Ok I can see there is an options parameter for the Lock which you can pass scopes in, is it bad practice to request these when logging in? 好的,我可以看到Lock的一个options参数,您可以在其中传递作用域,登录时请求这些是不好的做法吗? There will only really be a handful of groups/roles for now. 目前,实际上只有少数几个组/角色。 Or is better that the API can lookup the user using the token provided to get the app_metadata to view the permissions etc, if so how can I look this up? 还是API可以使用提供的令牌来查找用户以获取app_metadata来查看权限等更好,如果可以,我该如何查找呢?
2. How am I able to manage the users and view them so I can display them in our own admin panel and manage the permissions they have. 2.我如何管理用户并查看他们,以便可以在我们自己的管理面板中显示他们并管理他们的权限。
1 个解决方案
解决方案1
0 2017-01-11 10:37:39
For the case where the groups and roles information are available within the token itself (as groups and roles claims) and given that you're using express-jwt then you can access this information on the server-side by accessing: 对于组和角色信息在令牌本身内可用的情况(作为groups和roles声明),并且假设您使用的是express-jwt则可以通过以下方式在服务器端访问此信息:
req.user.groups
req.user.roles
In essence, express-jwt will make the claims contained within the token available in the req.user object. 本质上, express-jwt将使令牌中包含的声明在req.user对象中可用。
In relation to the ID you use to identify the user you can use the value contained within the sub claim of the user token. 关于用于标识用户的ID,您可以使用用户令牌的sub声明中包含的值。 This value is guaranteed to be unique and stable so a recurring user that uses authenticates in exactly the same way will always have the same value within the sub claim. 该值保证是唯一且稳定的,因此以完全相同的方式使用身份验证的经常性用户在sub声明中将始终具有相同的值。
You already discovered that one way to include the groups and roles information is to request it through the scope parameter. 您已经发现,包括组和角色信息的一种方法是通过scope参数进行请求。 It's not a bad practice to request this information to be included in the token, however, you need to take in consideration that tokens delivered through the implicit grant which is used by SPA are included as a part of the callback URL and as such their maximum size is constrained by the limits imposed on URL's. 要求将此信息包含在令牌中并不是一个坏习惯,但是,您需要考虑到通过SPA使用的通过隐式授权传递的令牌已作为回调URL的一部分包含在内,因此它们的最大值大小受URL限制的限制。
In regards to your second question, you could implement your own management backend by integrating both the Auth0 Authorization extension API and also the Auth0 Management API; 关于第二个问题,您可以通过集成Auth0授权扩展API和Auth0管理API来实现自己的管理后端。 see the following links for more info: 有关更多信息,请参见以下链接:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.