Dynamic roles

[tarwich]

Firstly, thanks for such an awesome system.

TL;DR: How do I give a user a new role without generating a new JWT?

Having troubles figuring out user roles. I'd like users to have different schemas based on things like: guest, user, moderator, creator. I'm already restricting permissions based on a grants table, but I'd like to also lock a user into a separate schema so that a "user" couldn't ever gain access to "moderator" level functionalities.

Currently when a user logs in, their role is set in their JWT, so if I promote them, then they have to log out and back in again in order to gain the new permissions. Can't this be done in another way?

Obviously the feature doesn't exist to have the role be derived, but it would be cool for it to be something like "$users.{X-Hasura-User-Id}.role". Is there another way?

Thanks again!

Edit: Removed stray character

[BenoitRanque]

When you set a list of claims in a JWT, those claims cannot be changed without issuing a new JWT.
This is simply how JWT works.

If you need to update the claims associated with a user, you have a few options:

1. Accept that updating claims take some time. This is the simplest to implement. Your token refresh flow should include checking for new claims, and issuing the new token based on the updated claims. If you refresh the tokens every 5 minutes, you would have to wait a maximum of 5 minutes for the claims to be updated and the new roles to come into effect.

2. Keep a list of valid tokens, and revoke any token associated with a user when you update data that changes their claims. This is a bit more tricky. You would need to setup an auth webhook, to handle this logic, see documentation here

3. Worst for performance, but simpler to implement than 2 is to use an auth webhook, and check the database to determine the user's role on each request. Like option 2, this has the benefit that changes in roles will be effective immediately.

For most use cases I would recommend the first option, unless you have a need for a third party to update a user's permissions, and that change to take effect immediately. Here is an extensive blogpost on JWT auth best practices which includes the refresh flow.

Cheers

Ben

[tarwich]

This makes sense. My problem is that my API handling token generation doesn't have access to the user roles. This situation would work, but it's going to need the tokens to be generated by another system. Fortunately JWT are easy enough to generate. Perhaps I'll do so on the other system. I'll look into this and get back to you.

[tarwich]

We're using option #1, and it's working well. Thanks for the guidance. The use of the X-Hasura-Role header is also helpful now that I understand it better.