Hi @jonsully thanks for the thoughtful and helpful reply!
Ah - I was assuming that GoTrue would sign the JWTs using the JWT Secret configured for the site in the Netlify settings. Thanks for quashing that assumption! I would have hit that brick wall eventually. But also - this leads me to another side question - does Netlify Identity work with Netlify RBAC at all? If you don’t know the secret used by GoTrue to sign the JWTs, how do you know what to add as the JWT secret in the Netlify Access control settings?
Do you know of any tutorials on this, or anyone who has got an external JWT provider working with Netlify’s RBAC? I tried to use Auth0 a couple of years ago for exactly this use-case, but the JWT it produced did not seem to have the right formatting if I remember correctly. I believe I couldn’t configure the JWT to have a Roles payload that was compatible with RBAC. Also Auth0 was super enterprise-y and not very user friendly. At the time, there were no tutorials or guides I could follow. Eventually I gave up. Thanks for the SupaBase tip - that is a new one for me.
Yes - the Cookie has to be set as nf_jwt and my understanding of Cookies and Cookie security is as follows:
- You should not store sensitive JWTs in Cookies that are accessible by Javascript as there is too great a risk of a rogue script stealing them from the client. So the cookie has to be
HttpOnly. - An
HttpOnlyCookie cannot be set by client-side javascript - Therefore the cookie must be set on the server and sent to the client in the HTTP response
- Browsers only accept Cookies if the
Domainattribute matches the “real” domain of the HTTP response that initially set it (although I believe the “real” domain can be a subdomain of theDomainattribute). - Browsers only send cookies in the HTTP request to domains that match the
Domainattribute of the cookie
This leads me to believe that the nf_jwt Cookie must be set by a service hosted at a domain or subdomain of the sites I am hoping to protect. If this is the case - I don’t really understand how Auth0 or Okta could help. Is there a part of the picture I am missing?
My current idea is that I could use Netlify Identity service as-is on my login.company.com site and pair it with a Netlify function that triggers on the login event and then sets a new nf_jwt cookie in the user’s browser. This JWT would be:
- Signed with a secret that I choose and that I can add as the JWT secret for the sites I want to protect
- Be sent to the client in a cookie that has the
Domainattribute configured ascompany.comso that browsers will forward it in all requests to subdomains ofcompany.com.
This makes me a little nervous because I am not a security engineer, but I’ll report back if I get it working, even if I’m not confident enough to put it in production.