iOS Swift: Authorization

Gravatar for martin.walsh@auth0.com
By Martin Walsh
Auth0

Sample Project

Download a sample project specific to this tutorial configured with your Auth0 API Keys.

System Requirements
  • CocoaPods 1.2.1
  • Version 8.3.2 (8E2002)
  • iPhone 7 - iOS 10.3 (14E269)
Show requirements

Many identity providers supply access claims which contain, for example, user roles or groups. You can request the access claims in your token with scope: openid roles or scope: openid groups.

If an identity provider does not supply this information, you can create a rule for assigning roles to users.

Create a Rule to Assign Roles

Create a rule that assigns the following access roles to your user:

  • An admin role
  • A regular user role

To assign roles, go to the New rule page. In the Access Control section, select the Set roles to a user template.

Edit the following line from the default script to match the conditions that fit your needs:

function (user, context, callback) {

  //Define the name of the claim. Must look like a url:
  //Have 'http' or 'https' scheme and a hostname other than
  //'auth0.com', 'webtask.io' and 'webtask.run'.
  var claimName = 'https://access.control/roles';

  //Check if the email has the 'admin.com' domain and give the 'admin' role.
  //Otherwise, keep a default 'user' role.
  var roles = ['user'];
  if (user.email && user.email.indexOf('@admin.com') > -1) {
      roles.push('admin');
  }
  //Set the role claim in the id_token
  context.idToken[claimName] = roles;

  callback(null, user, context);
}

The rule is checked every time a user attempts to authenticate.

  • If the user has a valid email and the domain is admin.com, the user gets the admin and user roles.
  • If the email contains anything else, the user gets the regular user role.

The claim is saved in the ID Token under the name https://access.control/roles.

Depending on your needs, you can define roles other than admin and user. Read about the names you give your claims in the Rules documentation.

Test the Rule in Your Project

The claim with the roles you set is stored in the user's ID Token. It is a JSON Web Token (JWT) that holds claims. You can use a JWT decoding library to obtain the roles and perform access control. You can use the JWTDecode library.

import JWTDecode
guard
    let idToken = self.keychain.string(forKey: "id_token"),
    let jwt = try? decode(jwt: idToken),
    let roles = jwt.claim(name: "https://access.control/roles").array
    else { // Couldn't retrieve claim }

if roles.contains("admin") {
    // Access Granted
    // Present Admin Screen
} else {
    // Access Denied
    // Show warning
}

Restrict Content Based on Access Level

Now you can recognize the users with different roles in your app. You can use this information to give and restrict access to selected features in your app to users with different roles.

In the sample project, the user with the admin role can access the admin panel.

Use Auth0 for FREECreate free Account