Reputation: 179
How to deal with changing permissions with JWTs
JWT promises to be faster / simpler by including permissions in the Token itself. However my question is this: say a user is logged in, and is using a JWT that contains permission info allowing them access to A and B.
Then an admin or other user comes along and grants that user permission to view C while the user is still logged in. But because the user is still using the old JWT, he's still not going to be able to access C.
What are the options here? Blacklist the token and force the user to log in again? Or forget about token-based permissions altogether?
Upvotes: 2
Views: 1013
Answers (2)
Reputation: 1671
JWT tokens are stored in localStorage or cookies on frontend side so this the issue when your application will face with changing permissions.
Use refresh token mechanism with unique SECRET per user which is stored in the database so by changing this SECRET will force that particular user to re-login and get a new token with updated permissions.
Upvotes: 6
Reputation: 130907
Personally, I would rely on JWT for authentication (who the caller is) only.
For authorization (what the caller can do), look up the caller roles/permissions from your persistent storage to get the most updated information.
Upvotes: 2
Related Questions
- Is setting Roles in JWT a best practice?
- what is best practice to store user permissions in JWT token?
- How to prevent log out users when changing JWT secret?
- Confusion regarding JWT authorisation
- Is this an acceptable approach to refreshing JWTs?
- How to do rights management in REST based applications?
- Using JWT with role based authorization
- Roles using JWT
- How to model resource level permissions in JWT OAuth2 tokens?
- JWT Refresh after user permissions have changed