RBAC with JWT containing role
This guide explains how to set up Role-Based Access Control with JWT containing a role claim
This guide is based on the TokenInstrospector tutorial. But we won't' create User resource
Token introspection
To make Aidbox trust JWT issued by external server token introspection is used.
In this guide, the external auth server URL is https://auth.example.com
Create TokenIntrospector
PUT /fhir/TokenIntrospector/external-auth-server
content-type: text/yaml
resourceType: TokenIntrospector
id: external-auth-server
type: jwt
jwt:
iss: https://auth.example.com
secret: very-secret
Currently, we use a common secret to validate our introspector works. In production installations, it's better to switch to jwks_uri instead.
Create AccessPolicy for the role manager
PUT /fhir/AccessPolicy/as-manager-get-users-list
content-type: text/yaml
resourceType: AccessPolicy
id: as-manager-get-users-list
engine: json-schema
link:
- reference: Operation/FhirSearch
schema:
required:
- jwt
properties:
uri:
enum:
- /User
type: string
request-method:
constant: get
jwt:
required:
- iss
- role
properties:
iss:
constant: https://auth.example.com
role:
constant: manager
Create JWT token
To build JWT use this tool
. Mind the claims:
issuerclaim should behttps://auth.example.comroleadditional claim should bemanagerexpirationclaim should be in the futuresubjectclaim can be any value
The key should be very-secret
To get signed JWT press the Create Signed JWT button. The generated JWT looks like this
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJpYXQiOjE2NzU3NTgzMDEsImV4cCI6MTcwNzI5NDMwMSwiYXVkIjoiaHR0cHM6Ly9hdXRoLmV4YW1wbGUuY29tIiwic3ViIjoiYWxpY2VAZXhhbXBsZS5jb20iLCJyb2xlIjoibWFuYWdlciJ9.X7sibz1LloKlMPVV5Q39gSAJBxxutCORtYq4oRt1eAo
Use the JWT to get the access
Make an HTTP request providing authorization header with the JWT as a Bearer token.
GET /fhir/User
content-type: text/yaml
Authorization: Bearer eyJ0...1eAo