RBAC with JWT containing role

This guide explains how to set up Role-Based Access Control with JWT containing a role claim

This guide is based on the . But we won't' create User resource

Token introspection

To make Aidbox trust JWT issued by external server token introspection is used.

In this guide, the external auth server URL is https://auth.example.com

Create `TokenIntrospector`

PUT /fhir/TokenIntrospector/external-auth-server
content-type: text/yaml

resourceType: TokenIntrospector
id: external-auth-server
type: jwt
jwt:
  iss: https://auth.example.com
  secret: very-secret

Currently, we use a common secret to validate our introspector works. In production installations, it's better to switch to jwks_uri instead.

Create `AccessPolicy` for the role `manager`

PUT /fhir/AccessPolicy/as-manager-get-users-list
content-type: text/yaml

resourceType: AccessPolicy
id: as-manager-get-users-list
engine: json-schema
link:
  - reference: Operation/FhirSearch
schema:
  required:
  - jwt
  properties:
    uri:
      enum:
        - /User
      type: string
    request-method:
      constant: get
    jwt:
      required:
        - iss
        - role
      properties:
        iss:
          constant: https://auth.example.com
        role:
          constant: manager

Create `JWT` token

issuer claim should be https://auth.example.com
role additional claim should be manager
expiration claim should be in the future
subject claim can be any value

The key should be very-secret

To get signed JWT press the Create Signed JWT button. The generated JWT looks like this

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJpYXQiOjE2NzU3NTgzMDEsImV4cCI6MTcwNzI5NDMwMSwiYXVkIjoiaHR0cHM6Ly9hdXRoLmV4YW1wbGUuY29tIiwic3ViIjoiYWxpY2VAZXhhbXBsZS5jb20iLCJyb2xlIjoibWFuYWdlciJ9.X7sibz1LloKlMPVV5Q39gSAJBxxutCORtYq4oRt1eAo

Use the `JWT` to get the access

Make an HTTP request providing authorization header with the JWT as a Bearer token.

GET /fhir/User
content-type: text/yaml
Authorization: Bearer eyJ0...1eAo

entry: []
link:
- relation: first
  url: "/User?page=1"
- relation: self
  url: "/User?page=1"
query-sql:
- 'SELECT "user".* FROM "user" LIMIT ? OFFSET ? '
- 100
- 0
query-time: 4
query-timeout: 60000
resourceType: Bundle
total: 0
type: searchset

PreviousFlexible RBAC built-in to Aidbox NextRBAC with ACL

Last updated 4 days ago

Was this helpful?

Create TokenIntrospector

PUT /fhir/TokenIntrospector/external-auth-server
content-type: text/yaml

resourceType: TokenIntrospector
id: external-auth-server
type: jwt
jwt:
  iss: https://auth.example.com
  secret: very-secret

Currently, we use a common secret to validate our introspector works. In production installations, it's better to switch to jwks_uri instead.

Create AccessPolicy for the role manager

PUT /fhir/AccessPolicy/as-manager-get-users-list
content-type: text/yaml

resourceType: AccessPolicy
id: as-manager-get-users-list
engine: json-schema
link:
  - reference: Operation/FhirSearch
schema:
  required:
  - jwt
  properties:
    uri:
      enum:
        - /User
      type: string
    request-method:
      constant: get
    jwt:
      required:
        - iss
        - role
      properties:
        iss:
          constant: https://auth.example.com
        role:
          constant: manager

Create JWT token

To build JWT use . Mind the claims:

issuer claim should be https://auth.example.com

role additional claim should be manager

expiration claim should be in the future

subject claim can be any value

The key should be very-secret

To get signed JWT press the Create Signed JWT button. The generated JWT looks like this

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJpYXQiOjE2NzU3NTgzMDEsImV4cCI6MTcwNzI5NDMwMSwiYXVkIjoiaHR0cHM6Ly9hdXRoLmV4YW1wbGUuY29tIiwic3ViIjoiYWxpY2VAZXhhbXBsZS5jb20iLCJyb2xlIjoibWFuYWdlciJ9.X7sibz1LloKlMPVV5Q39gSAJBxxutCORtYq4oRt1eAo

Use the JWT to get the access

Make an HTTP request providing authorization header with the JWT as a Bearer token.

GET /fhir/User
content-type: text/yaml
Authorization: Bearer eyJ0...1eAo

entry: []
link:
- relation: first
  url: "/User?page=1"
- relation: self
  url: "/User?page=1"
query-sql:
- 'SELECT "user".* FROM "user" LIMIT ? OFFSET ? '
- 100
- 0
query-time: 4
query-timeout: 60000
resourceType: Bundle
total: 0
type: searchset

Token introspection

Create TokenIntrospector

Create AccessPolicy for the role manager

Create JWT token

Use the JWT to get the access

Token introspection

Create TokenIntrospector

Create AccessPolicy for the role manager

Create JWT token

Use the JWT to get the access

Create `TokenIntrospector`

Create `AccessPolicy` for the role `manager`

Create `JWT` token

Use the `JWT` to get the access

Create `TokenIntrospector`

Create `AccessPolicy` for the role `manager`

Create `JWT` token

Use the `JWT` to get the access