Auth0: Restrict SPA Application Access to API Audience/Permissions/Scopes

In Auth0 you can restrict the APIs/Permissions a Machine-to-Machine type Application has access to using the "APIs" section in the Application Configuration:



However, SPA type Applications do not have an equivalent configuration option:


There is no way to restrict the APIs a SPA type Application has access to directly. Instead, you must restrict the APIs/Permissions/Scopes a User has access to. (Most likely you'll want to do this using Roles.)


You must also ensure the "Enable RBAC" setting is turned on for all of your APIs (this setting is off by default).


If the "Enable RBAC" setting is NOT turned on, a SPA Application will be able to request a token for any API/Permission/Scope combination and Auth0 will return a valid token!

And even with this setting turned on, a SPA Application will be able to request and receive a token for an API the user does NOT have access to! The Audience value in the access token will be valid for the API, however the "scopes" and "permissions" will be empty.

The API validating a token from Auth0 must validate the Audience AND all relevant/necessary scopes.


In summary, turn on "Enable RBAC" for all APIs and validate the Audience AND Permissions on all access tokens.



Hope this helps!

Aaron



Comments

Post a Comment

Popular posts from this blog

Search iPhone Text Messages with SQLite SQL Query

Image
While you're here, check out some of our interactive visualizations: Would you like to visualize your text messages? ------------------------------------------------------------------------------- In my experience, the iPhone text message search functionality is usually pretty awful. Especially if you're trying to find a text from a few years ago. Luckily, if you backup your iPhone using iTunes, your text messages are exported/stored in a SQLite database, and it is fairly easy to query. Here are the steps to SQL Query your Text Messages.   1. Backup your iPhone using iTunes.   2. Find the SQLite file that contains your text messages .     - in ~/Library/Application Support/MobileSync/Backup/* with a filename of 3d0d7e5fb2ce288813306e4d4636395e047a3d28   3. Ensure you have a SQLite Query tool ( SQLiteBrowser is pretty good ).   4. Open your SQLite Text Message DB File using your favorite SQLite query tool.   5. Execute t...
Read more

Configure SonarAnalyzer.CSharp with .editorconfig, no need for SonarCloud or SonarQube

Our goal was to use  SonarSource / SonarQube  static code analysis with the most "minimal" install/configuration footprint. We wanted the static code analysis to break/fail the build on the local developer machines as well as our CI/CD Azure DevOps environment if a rule was violated. SonarSource products usually rely on some external source,  SonarCloud /SonarQube to determine which rules to apply on the local dev machine, and to store the results. We wanted to eliminate these dependencies. SonarSource also provides a Visual Studio extension called  SonarLint  to help check the static code analysis rules within the Visual Studio IDE without needing an external source for the rules. The static code analysis rules SonarLint enforces are also defined in the  SonarAnalyzer.CSharp  nuget package. This nuget package is a set of  Roslyn Code Analyzers . In .NET Core, Roslyn Code Analyzers are triggered during a build if the nuget package is referenced by...
Read more

Edit Default Visual Studio 2012 Item and Project Templates

After adding a new file or project within a Visual Studio solution there are certain settings that I always update.  Follow the steps below to edit the default templates so these settings become the default. Visual Studio 2012 Project and Item Template files are located here: C:\Program Files (x86)\Microsoft Visual Studio 11.0\Common7\IDE\ItemTemplates C:\Program Files (x86)\Microsoft Visual Studio 11.0\Common7\IDE\ProjectTemplates Add "public" to all new C# class files: Edit the Class.cs file by adding the word "public" in front of the word "class" The Class.cs can be found here: C:\Program Files (x86)\Microsoft Visual Studio 11.0\Common7\IDE\ItemTemplates\CSharp\Code\1033\Class\Class.cs After you're done, it should look like this: using System; using System.Collections.Generic; $if$ ($targetframeworkversion$ >= 3.5)using System.Linq; $endif$using System.Text; $if$ ($targetframeworkversion$ >= 4.5)using System.Threading.Tasks; $e...
Read more