Authorization for Auth0

Enterprise-grade authorization for Auth0

About the integration

Auth0 is an adaptable authentication platform that lets you easily add authentication to your application. Aserto is a powerful authorization platform that enables you to determine permissions and access within your application. Together, they provide out-of-the-box solutions for user authentication and authorization.

About Auth0

Auth0 is a flexible user authentication platform you can use as a complete login solution for your application. It provides the tools necessary to develop and maintain a secure identity infrastructure, including user authentication, data protection, and password management.

Auth0 enables you to avoid the cost, time, and risk associated with building your own solution for user authentication. You can implement single sign-on (SSO), multi-factor authentication (MFA), universal login, or passwordless access to your application via the platform’s robust API.

It makes implementing token-based authentication, email provider authentication, social network authentication, multi-factor authentication, and forget/change password flows a breeze.

About Aserto

Aserto is a powerful and flexible authorization-as-a-service built to evolve with your customer requirements. It helps you define, evolve, and enforce user permissions within your application.

Aserto is the perfect complement to Auth0’s authentication solution: Aserto makes it easy to define and evolve what users are permitted to do inside your applications. Built on trusted open-source projects like OPA and OCI, Aserto handles all the heavy lifting required to achieve secure, scalable, high-performance role-based access control (RBAC) and attribute-based access control (ABAC).

Aserto natively integrates with Auth0, and is typically incorporated into applications in under a day. Quickstarts and SDKs are available for popular programming languages and frameworks, including Node.js, Golang, Python, Flask, ASP.Net, and React, helping you get up and running in little to no time. REST / gRPC APIs are available for developers that want to go to the metal.

Better together

Setting things up

To set things up, connect Aserto to your Auth0 tenant, to import and automatically synchronize the users, roles, and attributes stored in your Auth0 tenant into the Aserto directory. You’ll also define your permissions and authorization policies in Aserto, and load any resource data you want to use in your authorization decisions.

You can develop against Aserto’s hosted authorizer, which Aserto operates for you. In a production system, you should deploy Aserto’s Edge Authorizer right next to your application, either as a sidecar or a microservice in the same cluster or subnet. Aserto’s control plane automatically syncs all of the user, resource, and policy data to the Edge Authorizer, which is ready to make authorization decisions for your application.

At runtime

At runtime, your application should verify the signed access token it receives from Auth0 after the user authenticates. Before accessing a protected resource, your application should make a call to the Aserto Authorizer, passing it the user context (typically in the form of the access token), policy context, and resource context. The Aserto Authorizer uses the powerful OPA decision engine to quickly make an authorization decision based on this data, which the application can use in order to gate the request and fail it if the user is not authorized to make it.

Auditing authorization decisions

Aserto keeps record of every authorization decision in a decision log for easy auditing from the control plane. Decision logs can be streamed or batched up into your favorite log analysis tool.

The Edge Authorizer architecture

While authentication happens once per session, authorization happens upon every request, so speed of response is crucial. The Aserto Edge Authorizers are deployed as microservices or sidecars right next to your application to minimize authorization latency and maximize availability. That way, your application is never dependent on the availability / uptime of a remote authorization service.

The Edge Authorizers make authorization decisions based on three important inputs:

Policies from your policy registry
Users, attributes, and roles from Auth0, supplemented with application-specific information stored in the Aserto directory3. Resource context passed by in your application

Any changes made to your Auth0 directory are automatically synchronized into the Aserto directory, to ensure you never make authorization decisions based on stale data. Aserto then pushes updates to your edge authorizer in near real time or can be configured to update on an interval determined by the application administrator.

Leveraging the policy, user, and resource contexts, Aserto makes it easy to evolve your authorization from coarse-grained RBAC to fine-grained authorization using ABAC, Access-control lists (ACL), or a mix of any of the three in order to meet your requirements as the needs of your enterprise customers change. This means you can build a strong authorization foundation once, and evolve your access control model easily over time.

Integrating Auth0 with Aserto allows you bridge the gap between authentication and authorization creating an end-to-end Auth solution.

Aserto also comes with the following benefits:

Out-of-the-box support for audit trails, custom roles, RBAC, ABAC, and ACL
Use a policy-as-code workflow to build, tag, push, version, and pull policy images just like docker images
Quick onboarding via first-class citizen integrations with Auth0 and your artifact registry, logging system, backend programming language, and frontend framework.
Built on top of a trusted open source policy engine, the Open Policy Agent (OPA)

Resources

Built for developers with ♥

Sam Hall

Head of Technology, Metrikus

"Authorization has been a constant worry over the last two years - everyone was scared of it. With Aserto, I'm so much more comfortable with authorization because I can see what's going on. Before, it was a dark art - we had a muddled permission structure. With Aserto, we have clear policies that are easy to implement and obvious to analyze. Aserto has made AuthZ something we're not scared of anymore."

Grant Miller

Co-founder / CEO, Replicated

"B2B SaaS vendors have a huge opportunity going after the enterprise, but only if they meet enterprise expectations, as we've captured in EnterpriseReady.io. Replicated serves 50% of the F100, and we know first-hand that authorization and RBAC are table-stakes for enterprise adoption. It's obvious to me that partnering with Aserto is a far better approach compared to rolling your own and having to reinvent the wheel."

David Kerber

VP of Technology

"Authorization involves really hard problems that I want experts to solve. We like to focus our internal engineering efforts on our customers and their problems. Aserto allows us to do just that, at a small fraction of the cost it would take to build and maintain it ourselves, not to mention the opportunity cost."

Mathias Biilmann Christensen

Co-founder & CEO, Netlify

"As millions of developers and businesses are adopting a Jamstack approach, most modern web applications involve multiple APIs and services. Aserto's promise of separating policies from code could radically simplify the implementation of authorization across the front-end UI and the larger world of back-end functions and endpoints."

Tom Preston-Werner

Co-founder, GitHub

"Building & managing an authorization/RBAC system is a huge pain, especially at enterprise scale. So stop! Aserto has a distributed, millisecond latency, 100% availability API for that. I'm excited to help as an angel investor!"