Reputation: 11
Can sub field from JWT be used to grant permission to API resource?
I have been reading a lot the past few days about OAuth2, I understand the use of scopes to delegate access in the name of a user. My question is, if I have users sub: A and sub: B with a /resource/X, only user A should have access to /resource/X, should I use a scope "read:X" in combination with sub field to determine if the user can access that resource, or is it enough to only have the sub field with value A?
I am learning how to use Auth0 API, and there is a question posted from 2018 with no answers that explains exactly my doubts: Comment about the sub field from tokens
Upvotes: 1
Views: 1112
Answers (1)
Reputation: 29218
In simple APIs it is common to use scopes alone to determine access to resources. Read and write scopes are common, as are scopes to represent other high level privileges. There are limits to how well this scales though.
In more complex business apps you usually need to identify the user from the token (via the sub claim) so that you can then serve resources associated to that particular user's history.
This typically involves mapping the sub claim from access tokens to your API's own data, as in my below posts:
Upvotes: 1
Related Questions
- May an OAuth 2.0 access token be a JWT?
- Is it safe to use "sub" claim in keycloak token for user id in internal DB
- Is it OK to include the OAuth scopes inside a JWT?
- OAuth 2 - how to define dynamic resource authorization?
- JWT as an API access control mechanism
- OAuth Grant Type JWT Bearer Flow
- How to model resource level permissions in JWT OAuth2 tokens?
- Will the "Sub" claim in an Auth0 JWT always be unique?
- When used Sub and Aud Claim of payload on a system with JSON Web Token
- oAuth2 Mobile App Grant