It is possible to add authorization information (roles) to the JWT.
Example:
{
"iss": "...",
"sub": "...",
"exp": ...,
"iat": ...,
"jti": "...",
"ver": "0.1",
"idp": "..",
"name": "Doe",
"firstName":"John",
"email":"[email protected]",
"roles": ["role1", "role2"]
}
2017-09-18 14:59 GMT+02:00 Jason Hunter <[email protected]>:
> I understand that JWT will provide for authentication. How do you intend
> to do authorization?
>
> Meaning, how do you intend to know what roles the username given in the
> JWT should have within MarkLogic? Or do all authenticated users get the
> same roles, or something?
>
> -jh-
>
> On Sep 18, 2017, at 15:07, Andreas Hubmer <[email protected]>
> wrote:
>
> Justin,
>
> I'll answer for my colleague.
> We'd like to use JSON Web Tokens (JWT) and extract the user roles from the
> token.
> The users are managed in an external system and similar to the LDAP
> connection we want to avoid that every user has to be created/updated in
> MarkLogic too.
>
> Amps do not give the same flexibility as a temporary user with an
> arbitrary combination of roles.
>
> Thanks,
> Andreas
>
> 2017-09-15 17:50 GMT+02:00 Justin Makeig <[email protected]>:
>
>> Andreas,
>> Rather than describe your solution, can you explain the problem you’re
>> trying to solve? Why do you think you need a temporary user? What
>> permission/privilege challenge are you trying to address?
>>
>> You might also take a look at amps <https://docs.marklogic.com/gu
>> ide/admin/security#id_81246>. An amp allows a security administrator to
>> elevate the privileges of a specific function. This is beneficial in that
>> the security is defined in configuration, not code.
>>
>> Justin
>>
>>
>> --
>> Justin Makeig
>> Senior Director, Product Management
>> MarkLogic
>> [email protected]
>>
>>
>>
>> > On Sep 15, 2017, at 4:29 AM, Andreas Holzgethan <
>> [email protected]> wrote:
>> >
>> > Hi @all,
>> >
>> > I need the possibility to create temporary user for a transaction.
>> > I just found in the documentation that such a functionality is used
>> when for example LDAP is configured as an external security.
>> >
>> > Could you please explain me how this is done there?
>> >
>> > My thirst thought was to create a user with the function
>> "sec:create-user-with-role". At the end of the transaction I would just
>> call the function "sec:remove-user".
>> > Could you please give me feedback about this implementation?
>> > Is such a implementation a big influence on the performance?
>> >
>> > Thanks!
>> >
>> > Best regards
>> > Andreas Holzgethan
>> >
>>
> --
Andreas Hubmer
Senior IT Consultant
EBCONT enterprise technologies GmbH
_______________________________________________
General mailing list
[email protected]
Manage your subscription at:
http://developer.marklogic.com/mailman/listinfo/general
