|
| 1 | +0003: JWT usage |
| 2 | +############### |
| 3 | + |
| 4 | +Status |
| 5 | +****** |
| 6 | + |
| 7 | +**Draft** |
| 8 | + |
| 9 | +Context |
| 10 | +******* |
| 11 | + |
| 12 | +Json Web Tokens (JWT) are a way for authenticating users in web |
| 13 | +applications. The server generates a signed token that encodes the |
| 14 | +user's identity and any relevant claims, which is then sent to the |
| 15 | +client. The client includes this token in subsequent requests, allowing |
| 16 | +the server to verify the user's identity without needing to maintain |
| 17 | +session state. |
| 18 | + |
| 19 | +Because the tokens are cryptographically signed, they can be efficiently |
| 20 | +verified by the server without requiring database queries, which brings |
| 21 | +performance and scalability benefits. |
| 22 | + |
| 23 | +In addition to storing user identity, JWT tokens can also include |
| 24 | +additional claims, such as user roles or permissions, which can be used |
| 25 | +for authorization (AuthZ) purposes. |
| 26 | + |
| 27 | +JWT is the `recommended way to authenticate with the Open edX REST API |
| 28 | +<https://docs.openedx.org/projects/edx-platform/en/latest/how-tos/use_the_api.html>`_, |
| 29 | +however, it's not widely used for AuthZ across the platform. One |
| 30 | +exception is the `edx-rbac <https://github.com/openedx/edx-rbac>`_ |
| 31 | +library, which was a previous attempt to implement role-based access |
| 32 | +control in the platform. |
| 33 | + |
| 34 | +The edx-rbac library adds role information to the `"roles" claim in the |
| 35 | +JWT token |
| 36 | +<https://github.com/openedx/edx-rbac/blob/master/docs/how_to_guide.rst>`_ |
| 37 | +however, this is not widely used across the platform, being mostly used |
| 38 | +on enterprise modules. |
| 39 | + |
| 40 | +Given the new AuthZ project efforts, which seek to unify and simplify |
| 41 | +AuthZ on Open edX, there is an opportunity to re-evaluate the use of JWT |
| 42 | +tokens for Authorization purposes. |
| 43 | + |
| 44 | +Possible Methods |
| 45 | +================ |
| 46 | + |
| 47 | +#. Including AuthZ data in the JWT, attaching the user-related policies |
| 48 | + in the "policy" claim. Example implementation: `casbin-jwt-express |
| 49 | + <https://github.com/tiagostutz/casbin-jwt-express>`_ |
| 50 | + |
| 51 | + - Pros: |
| 52 | + |
| 53 | + - No additional DB queries needed for AuthZ, which brings |
| 54 | + potential performance and scale benefits. |
| 55 | + |
| 56 | + - Cons: |
| 57 | + |
| 58 | + - JWT tokens can become large and unwieldy, potentially |
| 59 | + impacting request performance, increasing bandwidth |
| 60 | + usage, and hitting size limits. |
| 61 | + |
| 62 | + - Changes in user roles or permissions will not be |
| 63 | + reflected in the token until it is refreshed, leading to |
| 64 | + potential security issues. |
| 65 | + |
| 66 | +#. Not including AuthZ data in the JWT |
| 67 | + |
| 68 | + - Pros: |
| 69 | + |
| 70 | + - Smaller token size, leading to improved request |
| 71 | + performance and reduced bandwidth usage. |
| 72 | + - Changes in user roles or permissions can be reflected |
| 73 | + immediately without requiring a token refresh. |
| 74 | + |
| 75 | + - Cons: |
| 76 | + |
| 77 | + - Additional DB queries may be needed for AuthZ, which |
| 78 | + could impact performance and scalability (could be |
| 79 | + mitigated with caching strategies). |
| 80 | + |
| 81 | +Discussion |
| 82 | +========== |
| 83 | + |
| 84 | +The new AuthZ approach being discussed in this repository will allow for |
| 85 | +a unified and more flexible way to manage authorization, this will allow |
| 86 | +for more complex authorization scenarios to be handled more easily, for |
| 87 | +example, specifying fine-grained access controls for libraries. |
| 88 | + |
| 89 | +On a big instance, this will mean that the policies attached to a user |
| 90 | +will potentially grow larger and more complex, which would greatly |
| 91 | +increase the data that a JWT token would need to carry if we were to |
| 92 | +include AuthZ data in the token itself. |
| 93 | + |
| 94 | +On the other hand, the performance and resources impact of doing AuthZ |
| 95 | +checks in the backend on every request can be mitigated with caching |
| 96 | +strategies. |
| 97 | + |
| 98 | +Decision |
| 99 | +******** |
| 100 | + |
| 101 | +We will not include AuthZ data in the JWT tokens. JWT tokens will |
| 102 | +continue to be used as an authentication mechanism, but AuthZ will be |
| 103 | +handled separately in the backend. |
| 104 | + |
| 105 | +Consequences |
| 106 | +************ |
| 107 | + |
| 108 | +- JWT tokens will continue to be used as they are currently, primarily |
| 109 | + for authentication purposes. |
| 110 | +- AuthZ will be handled in the backend, caching strategies should be |
| 111 | + considered to mitigate performance impacts. |
| 112 | + |
| 113 | +Rejected Alternatives |
| 114 | +********************* |
| 115 | + |
| 116 | +- Including AuthZ data in the JWT tokens by using the "policy" claim, |
| 117 | + including the full ACL definition for the user. |
| 118 | + |
| 119 | +References |
| 120 | +********** |
| 121 | + |
| 122 | +- `edx-rbac how to guide <https://github.com/openedx/edx-rbac/blob/master/docs/how_to_guide.rst>`_ |
| 123 | +- `Example implementation of jwt embedded policies with casbin <https://github.com/tiagostutz/casbin-jwt-express>`_ |
| 124 | +- :ref:`OEP-66: Authorization Best Practices <openedx-proposals:OEP-66 User Authorization>` |
| 125 | +- :ref:`Open edX Auth Overview Table <Open edX Auth Overview Table>` |
0 commit comments