Node.js Authorization

Sample Project

Download a sample project specific to this tutorial configured with your Auth0 API Keys.

System Requirements
  • NodeJS 4.3 or superior
  • Express 4.11
Show requirements

Many identity providers will supply access claims, like roles or groups, with the user. You can request these in the token by setting scope: openid roles or scope: openid groups. However, not every identity provider supplies this type of information. Fortunately, Auth0 has an alternative, which is to create a rule for assigning different roles to different users.

Create a Rule to Assign Roles

First, create a rule that assigns users to either an admin role or a single user role. Go to the New Rule page on the Auth0 dashboard and select the "Set Roles to a User" template under Access Control.

By default, this rule will assign the user an admin role if the user’s email contains Otherwise, the user will be assigned a regular user role.

The authorization rule can be customized as needed and is not limited to setting roles of admin and user.

Check if a User's Role is Present

Create a new file called requireRole.js. This file will contain a middleware that will be used to check for the existence of a role in a user's app_metadata. Since app_metadata is readonly for users, they are not able to manipulate their own authorization level.

// requireRole.js

module.exports = function requireRole(role) {
  return function(req, res, next) {
    var appMetadata = req.user.profile._json.app_metadata || {};
    var roles = appMetadata.roles || [];

    if (roles.indexOf(role) != -1) {
    } else {

Restrict Routes Based on the User's Roles

To demonstrate how to restrict access to certain routes based on a user's roles, you can update the routes/index.js to include an /admin route and use the requireRole middleware on it.

// routes/index.js


var requireRole = require('../requireRole');


  function(req, res) {

router.get('/unauthorized', function(req, res) {
  res.render('unauthorized', {env: env});


Next, add the required template for the /admin and /unauthorized routes.

// views/admin.jade

extends layout

block content
  h1 You are seeing this because you have the 'admin' role
// views/unauthorized.jade

extends layout

block content
  h1 Permission denied
  p Set "roles": ["admin"] in the user's app_metadata section.

The new /admin route requires the user to have a role of admin in their app_metadata and redirects to /unauthorized if the role is not present.

Previous Tutorial
6. Rules
Use Auth0 for FREECreate free Account