JWT token with roles

marco · 19 Oct 2020, 14:46

Re: Implementing a Role-Based Access System for Authorization

Hey everyone.

We have a question about JWTs and roles;

Our application is an admin panel which uses FusionAuth's Login API for authentication, and every other request will hit our own back-end;

We need to protect endpoints by using the roles that are decoded from the token, and there is none;

So I ask you guys:

Is it wrong to put it like that?
If not, how should we include the roles inside the token, knowing that on the docs, the claim "roles" is reserved? (https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate)

Thank you!

dan · 19 Oct 2020, 15:53

Is it wrong to put it like that?

I think you're on the right track.

If not, how should we include the roles inside the token, knowing that on the docs, the claim "roles" is reserved? (https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate)

Have you added any roles to your FusionAuth application? Those roles should be put into the JWT automatically.

https://fusionauth.io/docs/v1/tech/core-concepts/roles

marco · 19 Oct 2020, 17:07

Hey Dan!

Have you added any roles to your FusionAuth application? Those roles should be put into the JWT automatically.

Yes, we added one role on the application (USER), but still, there is no "roles" claim inside the token.

Any advice on where to look Dan?

Thanks again.

dan · 19 Oct 2020, 17:51

Is the user registered to the application within FusionAuth?

Go to the user details page and look at the 'registrations' tab.

marco · 19 Oct 2020, 18:04

@dan

Yes! The user is registered and verified.

dan · 19 Oct 2020, 21:27

Hmmm. A few more questions.

And you are logging into that application (with a client_id)? Are you logging the user in with OAuth and the hosted login pages (that is within FusionAuth's ui you manage with themes) or with the login API? What version of FusionAuth are you using?

marco · 20 Oct 2020, 14:40

Hey Dan!

So let me answer one by one:

I am logging the user using Facebook, Google and Apple with FusionAuth's UI;
The version we are using is 1.19.8;

dan · 20 Oct 2020, 20:02

Hi Marco,

I'm unable to replicate using Google's login with google button (this is with 1.19.8).

Here's what my JWT looks like:

{
  "aud": "ffbbef97-a2c0-49eb-990d-bd6e96acf2f9",
  "exp": 1603227230,
  "iat": 1603223630,
  "iss": "acme.com",
  "sub": "8c5a7890-3deb-4fc7-a5d9-29cf396847c5",
  "jti": "f091312c-47ce-4125-a9a0-a2d2e7279ce3",
  "authenticationType": "GOOGLE",
  "email": "<email address>",
  "email_verified": true,
  "applicationId": "ffbbef97-a2c0-49eb-990d-bd6e96acf2f9",
  "roles": [
    "USER"
  ]
}

I'm not quite understanding what is going on, because my JWT doesn't look like yours. Typically if a user is registered for an application you'll receive an aud claim with the application id in it (more here on that).

I also note that the JWT you provide shows you are logging in with the PASSWORD method, not google, facebook or apple.

Maybe it makes sense for you to lay out, step by step, the auth process a user goes through where they don't get the roles claim? Because I'm not sure what's going on.

marco · 28 Oct 2020, 10:00

@dan said in JWT token with roles:

"applicationId": "ffbbef97-a2c0-49eb-990d-bd6e96acf2f9",
"roles": [
"USER"
]

Hey Dan!

Now we got it working.

For reference, we were not passing applicationId inside the request body, that's why the roles were not included in the token.

Thanks again for the time Dan!