Support JWT decoding on sub-enterprise plans

Passwordless login is rapidly becoming a new standard, but the Netlify implementation currently requires an Enterprise plan to support even accepting 3rd party JWT tokens. The Enterprise plan level far outstrips the needs of our app in every other way at the moment, so we can’t justify the upgrade to get access to this feature.

We might have considered the upgrade regardless if the Identity product offered a native passwordless login experience, but it doesn’t seem to be supported currently: Passwordless / magic link · Issue #337 · netlify/netlify-identity-widget · GitHub. However, even if general magic link login were supported, there may be security-enhancing features offered by specialized vendors (such as device binding via webauthn) that I don’t expect to see supported anytime soon.

In practice, this means that all my functions require a custom middleware to decode the JWTs, which both adds to the complexity of the codebase and potentially creates security vulnerabilities, as decoding the tokens in “userspace” can be error-prone. This is especially an issue in a lambda function context, because the more battle-tested middlewares like passport aren’t readily usable there without spinning up a full express app, or using cumbersome adapters.

My feature request therefore is this: please allow netlify-provided JWT decoding and clientContext population at the Pro level. This will substantially increase DX and security for lambda function devs.

I will also add that this should be a nearly-zero-code change on the netlify side, as the functionality for decoding 3rd party tokens is already built out as a subset of the full enterprise identity level.

Likewise, using netlify as an identity provider, which actually has costs related to storing user data, etc can remain in the level 2 identity product, consistent with the way 3rd party providers meter their services.

Hi Parkan and thanks for that thorough and well-reasoned feedback! I’ve made sure that our product team has seen it since they make the decisions about changing our pricing.

I think you can already use JWT’s on our service for free with the default configuration - targeting our own identity provider. You don’t need to decode them; we do it for you automatically and block access to the Netlify-hosted route if they are not proper. I understand that you are looking for the features already available in other providers, and I don’t think you’re wrong that we won’t be extending our JWT handling service(s) to the degree that folks like Auth0 might, so this is a pretty compelling featureset for our team to consider.

Thanks again for bringing it up!

Extensibility to other providers is a paid feature and where we place that is the decision we’ll leave with the Product team, who will absolutely take a look at your feedback and take it into consideration.

thanks for the reply, I am a little bit unsure about this part however:

As far as I know, JWT auth of any kind is only supported on the biz or enterprise plan (I actually upgraded my personal account to pro without realizing that, which only gave me basic auth)

However, your comment makes me think that even on the free plan I should see the decoded JWT in the context object if it is well-formed, is that accurate? I was hoping this might actually be the case, but it was unclear if I’d need to pass it in the usual bearer authorization header, the nf_jwt cookie value, or something else, and how signature validation would work. I’ll try it out and see if it does in fact already work!

1 Like

Hello, @parkan, I happened across this thread and found that there seem to be some misunderstandings in here.

First, you have two options for JWT-based visitor access control: Netlify Identity OR an external provider.

Netlify Identity is available on all plans and free for up to 1000 active users with open registration, or 5 total users if your registration is set to invite-only. You can use the Netlify Identity Widget or build your own frontend UI using the gotrue-js frontend client library.

Custom JWT with an external provider requires a Business plan or above (starting at $99/mo), and does not use Netlify Identity. Authentication is handled by your chosen authentication provider (such as Auth0 or Okta), and can use whatever authentication methods they support for JWT-based token handling.

Both authentication methods can use role-based redirects for role-based access control, and Netlify Functions can access user info in the clientContext.

Hope that helps!