JWT token with roles

marco

Re: Implementing a Role-Based Access System for Authorization

Hey everyone.

We have a question about JWTs and roles;

Our application is an admin panel which uses FusionAuth's Login API for authentication, and every other request will hit our own back-end;

We need to protect endpoints by using the roles that are decoded from the token, and there is none;

So I ask you guys:

Is it wrong to put it like that?
If not, how should we include the roles inside the token, knowing that on the docs, the claim "roles" is reserved? (https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate)

Thank you!

dan

Is it wrong to put it like that?

I think you're on the right track.

If not, how should we include the roles inside the token, knowing that on the docs, the claim "roles" is reserved? (https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate)

Have you added any roles to your FusionAuth application? Those roles should be put into the JWT automatically.

https://fusionauth.io/docs/v1/tech/core-concepts/roles

marco

Hey Dan!

Have you added any roles to your FusionAuth application? Those roles should be put into the JWT automatically.

Yes, we added one role on the application (USER), but still, there is no "roles" claim inside the token.

Any advice on where to look Dan?

Thanks again.

dan

Is the user registered to the application within FusionAuth?

Go to the user details page and look at the 'registrations' tab.

Screen Shot 2020-10-19 at 11.50.35 AM.png

marco

@dan

Yes! The user is registered and verified.

dan

Hmmm. A few more questions.

And you are logging into that application (with a client_id)? Are you logging the user in with OAuth and the hosted login pages (that is within FusionAuth's ui you manage with themes) or with the login API? What version of FusionAuth are you using?

marco

Hey Dan!

So let me answer one by one:

I am logging the user using Facebook, Google and Apple with FusionAuth's UI;
The version we are using is 1.19.8;

dan

Hi Marco,

I'm unable to replicate using Google's login with google button (this is with 1.19.8).

Here's what my JWT looks like:

{
  "aud": "ffbbef97-a2c0-49eb-990d-bd6e96acf2f9",
  "exp": 1603227230,
  "iat": 1603223630,
  "iss": "acme.com",
  "sub": "8c5a7890-3deb-4fc7-a5d9-29cf396847c5",
  "jti": "f091312c-47ce-4125-a9a0-a2d2e7279ce3",
  "authenticationType": "GOOGLE",
  "email": "<email address>",
  "email_verified": true,
  "applicationId": "ffbbef97-a2c0-49eb-990d-bd6e96acf2f9",
  "roles": [
    "USER"
  ]
}

I'm not quite understanding what is going on, because my JWT doesn't look like yours. Typically if a user is registered for an application you'll receive an aud claim with the application id in it (more here on that).

I also note that the JWT you provide shows you are logging in with the PASSWORD method, not google, facebook or apple.

Maybe it makes sense for you to lay out, step by step, the auth process a user goes through where they don't get the roles claim? Because I'm not sure what's going on.

marco

@dan said in JWT token with roles:

"applicationId": "ffbbef97-a2c0-49eb-990d-bd6e96acf2f9",
"roles": [
"USER"
]

Hey Dan!

Now we got it working.

For reference, we were not passing applicationId inside the request body, that's why the roles were not included in the token.

Thanks again for the time Dan!