Question: Since checking the scope is not enough (as it isn't a subset of the user's privileges), what is the most efficient way to access/validate the user's privileges? Amazing content by the way! This is the clearest explanation I've seen around this topic for years.
👋Okta Dev Advocate here. Thank you so much for the feedback. To answer your question - How you perform these checks honestly depends on how you intend to use the user’s permissions in an application. If you do use Auth0 you can add permissions to your access tokens, and check these in your APIs or backend. We also have some code samples that demonstrate this on the Auth0 Developer Center. Hope this helps! Happy to talk offline if it that would be useful.
Thanks,@@coreylweathers ! You can explore one approach to run these checks using the Auth0 Developer Center Resources: developer.auth0.com/resources/code-samples/api Check out the ones for “Role-Based Access Control”.
Why in every IT company we have some philosophers who decide what is Privildge, Permission, Scope etc? Why we cannot have common understanding of the same things?
Such unambiguous and clear-cut definitions are what actually makes these words have a common understanding across everyone. Had there been no strict differentiations between those words, we would end up having incompatible and hence insecure implementations.
![The relationship between URLs, URIs, and URNs [The Confused Developer]](http://i.ytimg.com/vi/iUzyy8CnPVY/mqdefault.jpg)
What an amazing video! The pacing, the voice, the soft background music, the clear animations, they are absolutely perfect! Instantly subscribed!
Glad you enjoyed it! Thanks for your kind feedback.
This is a very useful, clear and succinct overview :)
Question: Since checking the scope is not enough (as it isn't a subset of the user's privileges), what is the most efficient way to access/validate the user's privileges?
Amazing content by the way! This is the clearest explanation I've seen around this topic for years.
👋Okta Dev Advocate here. Thank you so much for the feedback. To answer your question - How you perform these checks honestly depends on how you intend to use the user’s permissions in an application. If you do use Auth0 you can add permissions to your access tokens, and check these in your APIs or backend. We also have some code samples that demonstrate this on the Auth0 Developer Center. Hope this helps! Happy to talk offline if it that would be useful.
Thanks,@@coreylweathers ! You can explore one approach to run these checks using the Auth0 Developer Center Resources: developer.auth0.com/resources/code-samples/api Check out the ones for “Role-Based Access Control”.
What an amazing video, thanks for that.
Thanks for the feedback! We're glad to hear you found it helpful.
Very helpful. Thank you.
Excellent
Why in every IT company we have some philosophers who decide what is Privildge, Permission, Scope etc? Why we cannot have common understanding of the same things?
Such unambiguous and clear-cut definitions are what actually makes these words have a common understanding across everyone.
Had there been no strict differentiations between those words, we would end up having incompatible and hence insecure implementations.