|
|
|
|
|
|
by dkarl
1355 days ago
|
|
|
The front end almost always needs to know what a user is authorized to do, because it is reflected in the UI. Which edit/delete buttons are visible and active? Is there a link to the admin page? Is there a link to a supervisor dashboard? Most apps send that information to the front end in a way that maps 1-to-1 to how they model authorization on the back end, often using exactly the same language, in which case you don't gain much by encrypting it in the JWT. But if you are taking measures not to leak your authorization model in the front end, then it makes sense not to expose it in an unencrypted JWT. |
|
|
How would you do that? At the end of the day the front-end needs to know what you can access somehow.
I guess you could add a compile step that rewrites all your permission checks into validating opaque uuid’s.