stackoom
  简体   繁体   中英

how to handle/manage a lot of permissions in access-token? what's the best approach?

 原文  2022-10-18 12:22:33       permissions/ jwt/ access-token/ auth0/ claims

Question

I'm getting a "Request header is too long" error when i was trying to access my API and send token in header. How we can manage a permissions in access-token because i have a lot of permissions in access-token it's approximately 15kb in size. I know it's not recommended to store permissions in access-token then what's the best approach to authenticate and authorize the users on API side?

We are getting all the permissions in access token but now permissions are getting large as we have lot of modules. What is the other way to access user permissions in asp.net core API instead of keeping it in access token?

    {
  "roles": [
    "Admin"
  ],
  "iss": "Issuer",
  "sub": "sub",
  "aud": [
    "https://example.com/api",
    "https://example.com/userinfo"
  ],
  "iat": 1666198659,
  "exp": 1666205859,
  "azp": "azp",
  "scope": "openid profile email offline_access",
  "org_id": "company1",
  "permissions": [
    "permission.1",
    "permission.2",
    ........
    "permission.150",
]
}

2 answers

solution1
 1  2022-12-01 23:26:47

This could be a solution: https://auth0.com/developers/lab/fine-grained-authorization

Basically, since every user has a lot of permissions, you don't store them in the token anymore; you can call this service which stores them for you.

Disclaimer: I am part of the team building this solution:)

solution2
 0  2022-10-29 00:27:58

You have two options.

  1. You can try to shorten the permissions down using something like the approach here . There are lots of other similar questions with similar approaches. However, know that you limit your number of permissions based on what you inherit from so this may or may not work. You can stick a string into the JWT with each char working as a flag for a permission. This comes with more downsides, namely keeping the data up-to-date.

  2. You setup a remote system for authorization. Something like Policy Server from Duende . This means no authorization data in the JWT. For instance you can make a simple http call to your identity server from your api/client and have the identity server evaluate if the user can do what they want to.

The latter seems right for your scenario because of your large amounts of permissions. It comes with overhead but there isn't really an alternative. https://github.com/Perustaja/PermissionServerDemo is an example that uses the built in ASP.NET Core authorization evaluation along with gRPC for the.network calls. You can make something leaner and simpler that basically does the same thing if you don't want a lot of infrastructure.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to manage permissions for S3 mounting in Databricks What is the best way to manage permissions for a web application - bitmask or database table? Unable to delete comment using Facebook Javascript SDK - use right access-token How to add the permissions in the access token of Microsoft Graph API How do you handle 100s of permissions in ABP How to handle user permissions Android Google Map - How to access user's location if permissions are granted How to handle permissions per role What is the best way to secure files in AWS S3 with different permissions for different users? What is the best way to check a user's permissions while they are browsing through your website?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM