I want to use the lambda feature of FusionAuth to populate the JWT depending on which app the user logins, because a same user can log into different apps and have several roles or groups in it. I don't want the JWT being populating of every role, being a role action that the user can make into the app(following the NIST RBAC model it will be permissions like 'read:attentions' or 'delete:tests') because it could be dozens of them (syze reasons), instead of that i want the JWT to be populated with the Groups the user has it that specific app. I tried assigning the roles property with empty array but not succeed. I know that the tool by default dont allow you to change the roles property, but there is a way to delete it?.
function populate(jwt, user, registration) {
jwt.group = registration.data.group;
jwt.roles = [];
}
Anyway the token keeps having the roles, how can i remove them?
{
"aud": "xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx",
"exp": xxxxxxx,
"iat": xxxxxxx,
"iss": "acme.com",
"sub": "xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx",
"authenticationType": "PASSWORD",
"email": "xxxxxxx@mail.com",
"email_verified": true,
"applicationId": "xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx",
"roles": [
"read:attentions",
"write:attentions"
],
"group": "financer"
}
The roles claim is reserved by FusionAuth and cannot be modified by a Lambda. There is an open feature that is scheduled to be complete in the upcoming release to loosen this restriction.
Once this feature is delivered you will have the option to remove or modify the roles claim.
The current reserved claims are outlined in the JWT Populate Lambda documentation.