Auth0 allows customers to create tokens to protect their own APIs (https://auth0.com/docs/api-auth) using standard OAuth2 flows. As part of the configuration Auth0 allows to define a know lists of scopes available for APIs that might be used to display consent forms and it allows developers to modify the scopes that will be included in the resulting tokens.
Provide a solution that allows a customer to define limited access to their API:
- The user authenticates using Auth0
- Based on the user job title the user may have access to
- Read Data
- Write Data or
- Delete Data
- The application gets a token to act on behalf of the user
- The application calls the API to perform any activities
Build a sample application (SPA or Web Application) and a dummy service that depict the flow required to implement the authentication and the API Call.
- Do not use the
Authorization Extension. - Enable usage of
refresh_tokenfor mobile applications. - Add your own custom rule (not from a template) that enriches the user profile.
Please share the code on GitHub and make sure the README file is clean and clear so customers can understand it.
-
Navigate at URL https://onegit-webapp.azurewebsites.net/.
-
Log in using one of the following predefined users:
-
User with the access right
Read Data.- Login:
viewer@olegburov.com - Password:
Viewer2User
- Login:
-
User with the access right
Write Data.- Login:
editor@olegburov.com - Password:
Editor2User
- Login:
-
User with the access right
Delete Data.- Login:
admin@olegburov.com - Password:
Admin2User
- Login:
-
-
Depending on a user's access right, a security role is assigned with the following scope(s) for calling back-end Web API.
-
The access right
Read Data- Role:
reader - Scope:
read:repositories
- Role:
-
The access right
Write Data- Role:
editor - Scope:
create:repositories,read:repositoriesandupdate:repositories
- Role:
-
The access right
Delete Data- Role:
admin - Scope:
create:repositories,read:repositories,update:repositoriesanddelete:repositories
- Role:
-
-
Based on a user's role, the front-end WebApp provides differente actions for a user:
-
The role
reader- View existent repositories
-
The role
editor- View existent repositories
- Create new repositories
- Edit existent repositories
-
The role
admin- View existent repositories
- Create new repositories
- Edit existent repositories
- Delete existent repositories
-
-
When a user perform granted actions, the front-end WebApp communicates with back-end WebAPI (https://onegit-webapi.azurewebsites.net) using an
access_tokento invoke these actions on behalf of a user. -
The
access_tokenincludes a granted scope(s) based on a user's role. -
The WebAPI provides the following endpoints where each requres a specific scope to be executed:
-
The List Repositories operation returns a list of the repositories currently in a database.
GET https://{base-url}/api/repositoriesThe scope
read:repositoriesis required for service requests. -
The Get Repository operation gets a repository from a database.
GET https://{base-url}/api/repositories/{repository-guid}The scope
read:repositoriesis required for service requests. -
The Create Repository operation creates a new repository in a database.
POST https://{base-url}/api/repositoriesThe scope
create:repositoriesis required for service requests. -
The Update Repository operation updates an existent repository to the new one.
PUT https://{base-url}/api/repositories/{repository-guid}The scope
update:repositoriesis required for service requests. -
The Delete Repository operation removes an repository from database.
DELETE https://{base-url}/api/repositories/{repository-guid}The scope
delete:repositoriesis required for service requests.
-