Lr-Projects
TTCTheo's Typesafe Cult
•Created by Lr-Projects on 1/5/2025 in #questions
How to store/design dynamic roles in jwt
I've been working on a project that has users that can join groups that are either public or private. I'm using refresh und jwt access tokens for authentication of the api. For most examples online, roles are always defined statically like this user is has an admin or user role.
To reduce database fetches to check if a user can see contents in a group (so either is a user a member or is the group public) for every request, is it reasonable to save roles on a group bases in the jwt token?
The problem I see is that a high number of groups can be public and therefore a lot (to many) of roles have to be added.
Or is this approach of dynamic roles (not sure how to call it, what I mean is creating roles depending on a group) just completely wrong in itself?
Maybe someone can give an example how such complicated content access is checked in the real world 🙂
17 replies