How to get user identity document for externally authenticated user?

I have implemented Auth0 authentication in my Fauna project. It works great. But I have problem with the next step. In my app, users can create stuff and then grant other selected users permissions to see that stuff. I think I could implement that by adding a permissions collection that would associate user identities to permissions for certain documents, and then enforce those rules using predicates in roles. I believe I should use the string returned by CurrentIdentity to reference users in my permission documents? The problem here is that when the user in the frontend UI wants to select who he wants his stuff to be shared with, he cannot possibly know other users identities looking like “google-oauth2|123863644245667360321”, but he’d like identify other users by e-mail address. But does Fauna know externally authenticated users e-mails, and how can I read those? So basically what I’d like to have is client app telling the back end “grant the user of this email-address a read permission for this item” and the back end would know the identity of that e-mail holder and use that in my permission document.

After successful Auth0 login at the client app I can of course access user data such as e-mail, and my client app could tell Fauna that “this identity means this e-mail” and I could store that in some document, but I think that would not be safe as malicious client could claim any e-mail.

You do not need to create a permissions collection; Fauna’s ABAC roles defines the privileges for the associated member identities.

When you create an AccessProvider, that connects Fauna with an external identity provider, there is a roles field that allows you to specify which roles that should be applied to your Auth0 identities. Each role entry in an AccessProvider’s roles field allows for a predicate function to determine whether the role should be applied or not.

For example, if your Auth0 identities could be “users” or “administrators”, you can write a predicate function that inspects the claims in the JWT to determine whether the Users or Administrators role should be applied. It’s up to you to configure your JWT creation, in the identity provider’s settings, such that enough information is included in the JWT to make that determination.

Fauna does “know” anything about Auth0 users unless that information is included in the JWT. Auth0 (and other identity providers) let you specify which claims should be included in JWTs. If you include a user’s email address in a JWT, then your Fauna queries can access that information. Since JWTs are encrypted, that information remains secure, unless you handle it in an insecure way.

I see! I didn’t quite understand how JWTs work. Now I studied it and managed to get Auth0 to add e-mail to the access token, so I can now access that information in Fauna queries and do whatever I want. Thanks!