Role Based Access Management
Using roles to control access to resources makes sense for lots of security use cases. One benefit of RBAC is that it's deterministic-- from an audit perspective, you can tell who had access to what at any point in time. This is harder to achieve when contextual variables play a role in determining access.
An OpenID Provider / OAuth Authorization Server like Jans Auth Server certainly has a role to play in the implementation of an RBAC infrastructure, but is not capable of delivering all the functionality your organization will need for a complete solution. For example, you may need a platform to define enterprise roles or to perform role consolidation. This is normally handled by an identity governance tool. Also, Jans Auth Server is not a policy management platform, like * Styra OPA, OSO * Zanzibar, or * Hashicorp Boundary or * Apache Fortress
The tools above are just a few open source policy management frameworks. There are more commercial products in this space.
Although Jans Auth Server may not be a complete RBAC solution, there are still
some RBAC capabilities to consider. When a person authenticates using a web
browser, the client can obtain user claims via OpenID Connect. It may make sense
to send the role role claim to the client. You may also send the memberOf
claim, if your organization uses group membership to manage roles.
But what if you need to dynamically compute roles? Or if you don't want to
over-share by sending all the roles and groups associated for a person? One
strategy is to use the Jans Auth Server Update Token Interception script to
render the role claim, either in the OAuth access token, the id_token or
the Userinfo JWT.
Created: 2022-07-21
