auth0-authorization-extension icon indicating copy to clipboard operation
auth0-authorization-extension copied to clipboard

Published 20 hours ago verified publisher icon auth0

/api/roles is returning an array of users that are assigned the role

Open pushpabrol opened this issue 7 years ago • 4 comments

/api/roles returns all the roles and under each role it is returning a "users" attribute that is apparently every user assigned to the role. If someone has a large amount of user say ~ 100K+ users. This endpoint will return a very large payload.

The correct way might be to provide this information under GET /api/roles/{role_id} or GET /api/roles/{role_id}/members

pushpabrol avatar Oct 29 '17 01:10 pushpabrol

I think the second option might be preferable.

GET /api/roles/{role_id}/members

It shouldn't affect the currently existing behavior of

GET /api/roles/{role_id}

jmward1978 avatar Nov 02 '17 18:11 jmward1978

When I want to add roles to a user, I need the role id, so I call /api/roles beforehand, then it returns unnecessary "users" too. This is so costly.

ShigeruNakagaki avatar Jan 31 '18 06:01 ShigeruNakagaki

I also have the same concern

We should have an endpoint that just returns a pure list of roles, not the entire database association. coz this will be very costly.

reggiepangilinan-s5 avatar Jul 26 '18 05:07 reggiepangilinan-s5

I have a tangential question regarding this: the users field being discussed here is not documented in the get all roles endpoint in the API docs. Is this field safe to rely on or might it be removed without warning?

nfadili avatar Nov 11 '20 20:11 nfadili