role based access with jwt and a lot of roles

Question

I have a web api with many controllers. With those controllers i defined a lot of roles and decorated the controller/functions. To access the api i use jwt.

I tried to write my roles into the jwt like key value. This works fine but if i set many roles into my jwt the token gets very big. I searched the web and saw some solutions like a middleware where i get the roles for the user for everytime a request is triggered. Second solution i found was to make an enum for roles and don't save names in jwt but numbers -> jwt get's smaller. My Problem is it does not feel like the correct way. I use .net core and identity framework. What is the best practice for this problem?

Answer 1

You are experiencing "role explosion" which is a flaw of role-based access control.

Other than trying to reduce the number of roles, which may not be possible, or doing role retrieval on every request, which comes at the cost of speed, you can use authorization models like ABAC or ReBAC (e.g. OpenFGA) which have all the benefits of RBAC, and allow more fine-grained control.

Answer 2

There is no "best practice" . Store roles in JWT tokens is quite normal . But token with role claims has permission to access your website until it expires , if someone update the user's role , it won't affect the token unless you have token revoke logic . Looking up the roles/permission in db will help the system more security since it will always get the newest role of that user . But that will affect server's performance if you have a large application depending on the number of requests you issue.

Anywhere , if possible please design/manage your roles to avoid a user has a lot of roles .