1

I have an authorization scheme for a user. This particular user is member of multiple teams.

In the team MANAGEMENT the user has the role EMPLOYEE In the team LOCATION_1 the user has the role MANAGER In the team LOCATION_2 the user has the role MANAGER

How would this map to a JWT (this being a hierarchical setup), is there a default way how this is mapped for example by Azure Entra ID or other IAM / PAM / IGA environments?

Improve this question

1 Answer 1

Reset to default
1

The essens of a JWT is to provide Authentication, who is making the request. Who is stated in the subject field of the JWT.

When it comes to Roles and Authorisation, this is not stated by the specification at https://www.rfc-editor.org/rfc/rfc7519.html. But since the JWT can contain any information, you could add a custom claims. It's common to use JWT fields scopes for specifying authorisation and roles for specifying roles and group belongings.

It may be that your authenticator has some built in proprietary way of managing this, or you extend it with a custom plugin or filter that manages your access based on JWT content. It depends a bit on how you want these roles to be used. Should they be propagated as custom headers to downstream services that manages it locally, or do you want to control access already on an API Gateway level based on the users role?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.