How to handle Authorization with Permission/Roles while using JWT

Question

im facing a problem while implementing authorization in my first nodejs application which uses expressjs, sequelize and jsonwebtoken for authentication. Within I want to forbid/allow routes for different user and i dont want to use another package like oauth2 or something which handles authorization for me.

At the moment i have created a jsonwebtoken which has permission roles included within the payload:

{ 
    "userid": 1,  
    "name": "John Doe",  
    "permissions" : ["user_get", "user_post", "user_put"]
    "iat": 1505142542,  
    "exp": 1505146142
}

No i want to check within a call like "GET /user" if the authenticated user is allowed to call it.

My question is: Is it safe to use this approach or shouldnt I include the permissions within the jwt? Another alternative is to ask the database and retrieve the permission instead of checking the payload.

Additionally the token will be checked if it is still validated in case the server invalidates the user.

Answer 1

JWT is safe and good. If you are aware of OAuth2, you can even implement its simpler version.

1. Register a user give him a set of credentials suppose an user_id and password (Also called clientid and secret).
2. Whenever user registers for first time return a JWT with a set expiry time as you are doing it right now.
3. As you mentioned use it to check for permissions.
4. If JWT expires user can request new one by providing user_id and password.

Now what I would suggest is if you are not going to use

"userid": 1,  
"name": "John Doe" 

anywhere after validating user's permission to access API then do not keep them in JWT at all. Instead use a signature for your JWT this way don't need to keep the user details flowing on network. :)