Based on their documentation Knock performs the verification of the JWT and trigger the availability of a user entity based on the token payload.
By default, Knock assumes the payload as a subject (
sub) claim containing the entity’s id and calls
find on the model.
However, you can override that behavior by implementing a
from_token_payload method that would allow you to create the user entity based on the full payload of the token which would mean you could create a user entity containing the permission, groups and roles contained in the token.
Given the user entity would then be available on authenticated routes you could then implement your access control by checking the
current_user on each route.