Should access permissions and roles be included in payload of JWT?

Question

Should information about the permissions and roles of the client be included in JWT?

Having such information in JWT token will be very helpful as everytime a valid token comes, it would be easier to extract the information about the permission about the user and there will be no need to call the database for the same. But does including such information and not double checking the same in the database will be a security issue?

Or,

Information like the one mentioned above should not be a part of JWT ever, and only the database should be used for checking the access roles and permissions of a user?

Answer 1

The purpose of including claims in the token is so you don't have to have that communication between the resource and the authentication provider.

The resource can just check that the token has a valid signature and trust the content.

Assuming the private key is private to the auth server you are good. Some providers change their key around to mitigate the risk.

If you think about it, if the resource made a call back to the auth server to get the claims. Then it is essentially ensuring that its talking to the right server by similar trust methods.

Answer 2

From my experience, if all your systems are using some central role and permission database, you can add all that into JWT.

However, this approach might not work well in SSO scenarios when the auth server itself has no idea whatsoever about the target system that will receive and trust the token.

The roles and permissions of the user are entirely upon the receiver of the JWT token. It's especially true when you integrate SSO auth with JWT into some legacy systems that have already their permission subsystem in place and thus they need only one claim to be present in JWT - the claim of user identity.