Auth0: Restrict SPA Application Access to API Audience/Permissions/Scopes

In Auth0 you can restrict the APIs/Permissions a Machine-to-Machine type Application has access to using the "APIs" section in the Application Configuration:



However, SPA type Applications do not have an equivalent configuration option:


There is no way to restrict the APIs a SPA type Application has access to directly. Instead, you must restrict the APIs/Permissions/Scopes a User has access to. (Most likely you'll want to do this using Roles.)


You must also ensure the "Enable RBAC" setting is turned on for all of your APIs (this setting is off by default).


If the "Enable RBAC" setting is NOT turned on, a SPA Application will be able to request a token for any API/Permission/Scope combination and Auth0 will return a valid token!

And even with this setting turned on, a SPA Application will be able to request and receive a token for an API the user does NOT have access to! The Audience value in the access token will be valid for the API, however the "scopes" and "permissions" will be empty.

The API validating a token from Auth0 must validate the Audience AND all relevant/necessary scopes.


In summary, turn on "Enable RBAC" for all APIs and validate the Audience AND Permissions on all access tokens.



Hope this helps!

Aaron



Comments

Popular posts from this blog

Search iPhone Text Messages with SQLite SQL Query

How to Turn Off Microsoft Arc Touch Mouse Scroll Sound Vibration

Configure SonarAnalyzer.CSharp with .editorconfig, no need for SonarCloud or SonarQube