Issuing JWT with different roles and claims and permission and scope

[andrewkkchan]

Hello,

Would it be possible for Kratos to issue JWT with different roles and claims and permission and scope? The use case here is we have multiple bank accounts for one user. For each of the account, the user can have different role and thus permission. We also want to issue token with limited scope for the use of open banking, for example.

How can we customise Krato to allow for that? If we definitely want to bundle authentication and authorisation in one login call, can Krato be wired our domain services and do the permission lookup easily?

Thank you!

Kind regards,
Andrew

[Benehiko]

Hi @andrewkkchan,

Thanks for reaching out 😄

So each bank account is linked to a singular user profile?
Or are you saying the user creates a new username+password for each bank account under the same user details like their unique identification number?

I believe what you're asking for is a Kratos + Keto use case. To do a lookup on if user bob has specific permission x, you can do it through Oathkeeper + Keto. Kratos only does user management and the user session.

[andrewkkchan]

Hi @Benehiko

Thanks for getting back.

So in our domain, each bank account can be linked to more than one user profiles, with different roles. For example, a business account of a limited company will have some users as director roles, and some other users as employees roles.

On the other hand, each user will have more than one account, each with different role. For example, a user can have an employee role for business account A, but also a director role for business account B.

On successful login, we would like to grant the user an Access Token (JWT) with a list of claims which show all the roles for each account for the user. This allows the services, which are distributed, to avoid calling the auth server for any further verification.

The user details, however, will be the same (like unique identification number), even though they have different roles across different account entities.

Would this be a valid use case for Kratos?

Thank you.

Kind regards,
Andrew

[Benehiko]

Okay I understand your use case.

You have a user Bob who has a user profile (kratos), on your system he gets added to business account A but only as an employee (keto), he also gets added to business account B but as a director (keto).

On each request to distributed service A, B, etc. you can check with Keto if the permissions are correct with Oathkeeper. So that's what I think would be your use case using the Ory Stack.

[andrewkkchan]

Thank you @Benehiko for your explanation.
This is exactly my use case and I am sure Kratos + Keto + Oathkeeper is what we are looking for in Ory Stack.
However, we have a legacy system to support as well, which relies purely on JWT.
Assuming that we use Kratos + Keto + Oathkeeper, is there a way we can issue JWT tokens to the client in one REST login call? In a way the JWT can contain all the custom claims and roles with permissions, so that when a service verify the JWT, the service can know all the claims and roles this user has across its business accounts.

Kind regards,
Andrew

[Benehiko]

Hi @andrewkkchan,

Sorry for only getting back to you now, been a hectic week! 😅

I believe you can, but it might require some custom service between the Ory stack somewhere depending on how the system design looks like. It might be that you would have to create the JWT in a separate service after successful login. Something like this:

User (browser/app) -> Oathkeeper -> Login (Kratos)
User (browser/app) <- Oathkeeper <- Session Cookie/Token (Kratos)

User (browser/app) -> Oathkeeper -> Exchange to JWT (your service) -> Validate Cookie/Token (Kratos)
User (browser/app) <- Oathkeeper <- Valid JWT (your service)

[vinckr]

Hey @andrewkkchan ,
Just checking in if your question was answered or if there was still something unclear.
I will mark this as answered for now, but feel free to come back to the discussion any time.

Thanks a ton! 🐝