Auth0 access control

Question

I am using Auth0 to manage a large set of users across several different applications with some being web based and others desktop and mobile. Under the meta data for each user I have an array of applications each user can access, I wondered how I might check this when authenticating so that access would be refused if not within that list.

I can do this very easily on the applications, however it would be great to do it on Auth0.

Answer 1

Using a Rule defined as follows has provided me with the functionality I was looking for:

function (user, context, callback) {
    // ACL object
    var acl = {
        "someAppName": [ 'user1@mail.com', 'user2@mail.com' ],
        "otherApp": ['user2@mail.com']
    }

    // if App is not in the ACL, skip
    if(!acl.hasOwnProperty(context.clientName)){
        return callback(null, user, context);
    }

    // check if user has access to app
    var userHasAccess = acl[context.clientName].some(
        function (email) {
            return email === user.email;
        }
    );

    if (!userHasAccess) {
        return callback(new UnauthorizedError('Access denied.'));
    }
    callback(null, user, context);
}