I am trying to get Netlify Identity + Role Based Access Controls (RBAC) to work for a use-case where a single login can grant access to multiple sites and I am wondering if it is possible.
I have read a lot of information in this forum and in the Docs, but It feels like swimming upstream to get this working. The closest example I can find is this tutorial which allows you to generate a JWT on one subdomain (https://login-to-gated-site.netlify.app/) and use it to grant access to another (https://gated-site.netlify.app/)
Would really appreciate the help! Even is someone can say definitively that this is not possible and I should use X instead.
I am on the Business plan, so I believe I have access to a full Identity and RBAC functionality in my Netlify account.
I run a company and we host documentation for a number of internal projects on Netlify. Each project is hosted on a subdomain of our company’s main domain. For example:
internal-project-1.company.com internal-project-2.company.com internal-project-3.company.com
At the moment, we use Netlify’s simple password protection to restrict access to these sites. However, this is tedious to keep seeing the same password-entry form each time you visit a different site. It is also not very secure as the password is shared between all our company’s team members.
I would like to implement Netlify Identity + Role-Based Access Controls so that my team can login using their Netlify Identity credentials and then receive a JWT Cookie that grants access to each of the subdomains.
My aim is to have a login page at
login.company.com which is connected to an Identity instance at
Once a user logs in they receive a JWT that allows them to visit any of the protected subdomains. Each of these protected sites would have identical
_redirects file that looks like this:
/* 200! Role=team /* https://login.company.com/
The secret used to sign the JWT at
login.company.com/.netlify/identity would also be used as the JWT secret for all the protected sub-domains.
I was kinda expecting this to “Just Work”. Isn’t this the benefit of JWTs and fancy Edge Nodes?
However, the JWT Cookie stored when the user logs into login.company.com does not get sent with requests to
internal-project-1.company.com and therefore Netlify denies access.
You can see Chrome excluding the Cookie in the request here:
Hovering on the
i icon for the reason the cookie is filtered states that:
This cookie was blocked because neither did the request's URL domain exactly match the cookie's domain, nor was the request URL's domain a subdomain of the Cookie's Domain attribute value
I have set up a proof-of-concept to test out the implementation:
Is there a way to get the
nf_jwt Cookie stored in a way that makes it portable between subdomains?
I think the missing step is to have the
Domain attribute of the cookie set to
company.com rather than
login.company.com. Then the JWT should get sent with requests to
other-subdomain.company.com according to my understanding of cookie security.
Because this is an
HttpOnly Cookie, setting the cookie needs to happen on the server. Maybe this would need to be a custom Netlify Function or Self-hosted GoTrue instance as I don’t think Netlify Identity can be configured for this?