FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Is is possible to have cross applications roles in JWT Tokens?

    Scheduled Pinned Locked Moved
    Q&A
    0
    2
    393
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sferry
      last edited by sferry

      Hello, we are planning to use FusionAuth to rework the authentication & authorization mechanisms on our Saas solution.

      We have multiple SPA (Angular) applications relying on differents APIs (.NET Core, all on the same root domain name). We have a set of internal super-admin users and a lot of final end-users that are our clients.

      • We would like our Angular applications to implement the Authorization Code Grant.
      • Retrieve all roles available for a user (for all applications) in the JWT token.

      So that the end-user is able to sign-in once and can navigate across the apps for which he has the expected roles.

      To do so, we were planning to have a central end-point (an API setup as a dedicated FusionAuth application) that would be in charge of exchanging authorization code for the desired tokens which would contain all user's roles for SPA1, SPA2, API1, etc.

      In the tests we did we were receiving only the roles for the central application while we would like to receive the roles for all the apps of the tenant.

      Could you please tell us if the architecture we are planning is a good approach or are we going in the wrong direction? And if so, what would you recommend to implement for our need?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        Hi @sferry ,

        Welcome to the FusionAuth community!

        As far as gathering up all the roles into your JWT, you should be able to do that.

        1. Make sure that your users are registered (in FusionAuth) for all the applications to which they have access.
        2. Set up a JWT populate lambda to pull the various roles from the registrations object provided to you and put it into your JWT. You have the user object, which has the registrations object on it, which has all the roles the user is assigned at login time. More on a lambda here: https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate/
        3. Consume the JWT and check for proper authorization.

        FYI, if you want architecture advice from FusionAuth engineers, that's available when you buy an edition with support included. More on technical support options here: https://fusionauth.io/technical-support/

        HTH.

        Dan

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post