Node.js Authorization

Seed Project

Download a sample project. You will need to login for the sample to be preconfigured.

Many identity providers will supply access claims, like roles or groups, with the user. You can request these in the token by setting scope: openid roles or scope: openid groups. However, not every identity provider supplies this type of information. Fortunately, Auth0 has an alternative, which is to create a rule for assigning different roles to different users.

Create a Rule to Assign Roles

First, create a rule that assigns users to either an admin role or a single user role. Go to the New Rule page on the Auth0 dashboard and select the "Set Roles to a User" template under Access Control.

By default, this rule will assign the user an admin role if the user’s email contains Otherwise, the user will be assigned a regular user role.

NOTE: The authorization rule can be customized as needed and is not limited to setting roles of admin and user.

Check if a User's Role is Present

Create a new file called requireRole.js. This file will contain a middleware that will be used to check for the existence of a role in a user's app_metadata. Since app_metadata is readonly for users, they are not able to manipulate their own authorization level.

// requireRole.js

module.exports = function requireRole(role) {
  return function(req, res, next) {
    var appMetadata = req.user.profile._json.app_metadata || {};
    var roles = appMetadata.roles || [];

    if (roles.indexOf(role) != -1) {
    } else {

Restrict Routes Based on the User's Roles

To demonstrate how to restrict access to certain routes based on a user's roles, you can update the routes/index.js to include an /admin route and use the requireRole middleware on it.

// routes/index.js


var requireRole = require('../requireRole');


  function(req, res) {

router.get('/unauthorized', function(req, res) {
  res.render('unauthorized', {env: env});


Next, add the required template for the /admin and /unauthorized routes.

// views/admin.jade

extends layout

block content
  h1 You are seeing this because you have the 'admin' role
// views/unauthorized.jade

extends layout

block content
  h1 Permission denied
  p Set "roles": ["admin"] in the user's app_metadata section.

The new /admin route requires the user to have a role of admin in their app_metadata and redirects to /unauthorized if the role is not present.

Previous Tutorial
6. Rules
Try Auth0 for FREECreate free Account