RBAC with JWT containing role

This guide explains how to set up Role-Based Access Control with JWT containing a role claim

This guide is based on the TokenInstrospector tutorial. But we won't' create User resource

Token introspection

To make Aidbox trust JWT issued by external server token introspection is used.

In this guide, the external auth server URL is https://auth.example.com

Create TokenIntrospector

PUT /TokenIntrospector/external-auth-server
content-type: text/yaml

resourceType: TokenIntrospector
id: external-auth-server
type: jwt
jwt:
  iss: https://auth.example.com
  secret: very-secret

Currently, we use a common secret to validate our introspector works. In production installations, it's better to switch to jwks_uri instead.

Create AccessPolicy for the role manager

PUT /AccessPolicy/as-manager-get-users-list
content-type: text/yaml

resourceType: AccessPolicy
id: as-manager-get-users-list
engine: json-schema
schema:
  required:
  - jwt
  properties:
    uri:
      enum:
        - /User
      type: string
    request-method:
      constant: get
    jwt:
      required:
        - iss
        - role
      properties:
        iss:
          constant: https://auth.example.com
        role:
          constant: manager

Create JWT token

To build JWT use this tool. Mind the claims:

  • issuer claim should be https://auth.example.com

  • role additional claim should be manager

  • expiration claim should be in the future

  • subject claim can be any value

The key should be very-secret

To get signed JWT press the Create Signed JWT button. The generated JWT looks like this

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJpYXQiOjE2NzU3NTgzMDEsImV4cCI6MTcwNzI5NDMwMSwiYXVkIjoiaHR0cHM6Ly9hdXRoLmV4YW1wbGUuY29tIiwic3ViIjoiYWxpY2VAZXhhbXBsZS5jb20iLCJyb2xlIjoibWFuYWdlciJ9.X7sibz1LloKlMPVV5Q39gSAJBxxutCORtYq4oRt1eAo

Use the JWT to get the access

Make an HTTP request providing authorization header with the JWT as a Bearer token.

GET /User
content-type: text/yaml
Authorization: Bearer eyJ0...1eAo

Last updated