Hi devs, how do you implement RBAC?

RBAC in your application?

users in db have a role, would like to allow certain roles per endpoint

I'm curious about this as well

I thought about managing it with a custom authorizer, but I can't find a way to make it dynamic per endpoint.

Yeah you’d need a mapping between routes and roles inside the authorizer to do it in there. Currently I use

graphql-shield

with apollo. The last REST API I did had individual lambdas for each endpoint/method. For that one I created a shared auth lib. It had two modes - for admin and user functionality. Admin auth was a function that when called it • checked you had the admin role on the request object (admin role was stored on the jwt via auth0) • threw an exception if you weren’t an admin User auth took in a async check function as a parameter. When called it’d: • retrieve the user from the DB (unless it was already attached to the request object) • run the check function, with the user as a parameter (since this function is passed in, it has access to the closure of the calling code, so it can check

entity.owner === user.id

etc). Could also make its own db calls if needed, but usually the data needed to authorise had to be loaded by the handler anyway. Check function must return true • throw an exception is user isn’t found or check function returns not true

We have roles coded into our app right now. The users get the role in our database. The actions allowed by the role are defined in a code. The lambda endpoints check if the user’s role has permissions. It works. However, our configuration is a bit too rigid, and mostly it just means that we end up granting permissions over and over again. I’m curious about opensource solutions, google zanzibar, and/or oso. https://www.osohq.com/

Met a founder from this startup that’s building a saas solution to this: https://www.govista.io/#/

Another startup to throw in the mix https://authzed.com