jwttokenroles

Is setting Roles in JWT a best practice?


I am considering to use JWT. In the jwt.io example I am seeing the following information in the payload data:

"admin": true

Admin can be considered as a Role, hence my question. Is setting the role in the token payload a habitual/good practice? Given that roles can be dynamically modified, I'm quite interrogative.


Solution

  • Nothing stops you from creating claims to store extra information in your token if they can be useful for your client.

    However I would rely on JWT only for authentication (who the caller is). If you need to perform authorization (what the caller can do), look up the caller roles/permissions from your persistent storage to get the most updated value.

    For short-lived tokens (for example, when propagating authentication and authorization in a microservices cluster), I find it useful to have the roles in the token.