Rails. Role Based Access Control

derek1 · May 25, 2020, 7:49pm

Hello,

I am working on a regular Rails app with server-side rendered erb templates. I’ve been asked to implement roles and permissions and to evaluate Auth0 RBAC.

Looks like Auth0 requires an API and JWT to implement RBAC and every example of Auth0 RBAC I can find uses a ‘split’ architecture between frontend and backend that relies on JWT for authentication.

Am I right to believe Auth0 RBAC is not possible with a regular server-side rendered rails app?

Thank you for your time.

Derek

dan.woda · May 29, 2020, 9:05pm

Hi @derek1,

Welcome to the Community!

RBAC is possible with a regular web app or SPA+API, it doesn’t matter.

It sounds like you may have looked at the examples where roles are associated with permissions in an API, but you don’t have to assign specific permissions to roles.

Here is an example of how you can use roles in a regular web app:

A user (who you have already assigned a role) authenticates/logs in through your Auth0 hosted login page
Rules are run after successful authentication, adding the user’s existing roles to the ID and Access Tokens
The tokens are returned to your rails server, your server decodes and verifies the token, then looks at the roles claim assigned in the rule. This allows the user to perform role-specific actions, based on the claims in the token. (e.g. an accountant role lets the user read/update the accounts table in your DB)

Let me know if that makes sense,
Dan

system · June 13, 2020, 9:05pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.