Let's say we want to use JWT's with the user's rol...
# ory-network
b
Let's say we want to use JWT's with the user's roles and/or permissions stored inside the JWT's to reduce the number of calls to Ory. (we're aware there are pros and cons to this) For machine-to-machine auth, it looks like using a client credentials grant with an OAuth webhook to add the custom claims will get us what we want. For human users, there's this: https://www.ory.sh/docs/identities/session-to-jwt-cors But that's less flexible than a webhook... it maps the user's session into the JWT, and the permission info isn't available in the session. Would the approach be to somehow add the permission info to the session? Or is there some other way to get them a JWT with custom claims? Such as generating the JWT ourselves?
s
I've been considering a similar approach. The way that I've been looking at to do this is 1. When I import users into Ory I create them with a metadata_public entry of
my_roles
2. I set up a JWT tokenizer where I create a few custom claims in my claims mapper
Copy code
claims: {
        iss: claims.iss,
        schema_id: session.identity.schema_id,
        email: session.identity.traits.email,
        roles: session.identity.metadata_public.my_roles,
}
👍 1
b
So we'd have to update
my_roles
every time we update a user's Ory Permissions... that feels likely to get out of sync or become stale? I'm thinking now that it might be better to cache user permissions at another layer. Maybe nginx in front of the Ory Permission API