DEV Community

Discussion on: How do you handle role/permissions updates with JWT?

Collapse
 
edamtoft profile image
Eric Damtoft • Edited

Conflating authorization (roles, permissions, etc) and identity (name, email, userId, etc) into the same token can lead to a bunch of problems.

Roles and permissions change much more quickly than a name does, and you may need to revoke a role or permission on short notice. Think of a JWT like a driver's license. It's a stateless "token" issued by a central authority (the DMV) which makes some claims about you (name, DoB, license #) which can be verified by the security features on the card (I.E. looking at it under a blacklight). If you think of what information goes on something like a drivers license, it's just the identity information. If you get pulled over, the cop will use that token to establish who you are, but will have to run the license to see if it was suspended to see if you're actually allowed to be driving.

Although keeping roles and permissions in tokens is somewhat commonplace, it definitely has some drawbacks. Check out this video for some more info on it: vimeo.com/254635640. I think it's a much better setup to have the token establish an identity (authentication), but checking whether a user is allowed to perform a specific action (authorization) should require a check with some kind of central authority to see what the user is allowed to do.

Collapse
 
chiangs profile image
Stephen Chiang

This was an excellent explanation... I wish I could bookmark comments.

Collapse
 
murphymurph21 profile image
John Murphy

thats a genius idea, might just implement that on my website one day

Collapse
 
sebastiandg7 profile image
Sebastián Duque G • Edited

Thanks a lot for sharing!

I tend to handle it this way. The user's authorization data is queried with a REST endpoint (/api/users/me). The main challenge with this approach is knowing what kind of user interaction triggers an authorization data update in order to have new changes as "real time" as possible. Usually, this interaction is related to users navigation in the app menu.

EDIT:

Your driving license analogy is great!

Collapse
 
jamesmh profile image
James Hickey

Agree. This also helps the JWT to be as slim as possible.

I tend to only want the key that can help me get to information about a resource (usually some type of ID).

"Normal" methods of dealing with performance issues should be applied at this point if having to fetch authorization details is causing issues.