Let’s break this down clearly — you’re asking about JWT authentication using RS256 tokens (asymmetric cryptography) that include both tenant and user claims.
Here’s a complete explanation and example setup ๐
๐งฉ JWT Authentication Overview
JWT (JSON Web Token) is a compact, URL-safe way of representing claims to be transferred between two parties.
A JWT consists of three parts:
header.payload.signature
Example structure:
{
"alg": "RS256",
"typ": "JWT"
}
Payload (claims):
{
"sub": "user_12345",
"tenant": "tenant_abc",
"role": "admin",
"exp": 1736899200
}
๐ Why RS256?
RS256 uses asymmetric keys — a private key to sign tokens (on the Auth server), and a public key to verify them (on the Resource/API server).
It’s more secure for distributed systems or multi-tenant setups because you can share the public key safely with multiple APIs.
๐ง Including Tenant and User Claims
You can add custom claims like:
tenant: identifies which tenant (organization/account) the user belongs to.suboruser_id: identifies the specific user.
Example payload:
{
"iss": "https://auth.mycompany.com",
"aud": "https://api.mycompany.com",
"sub": "user_abc123",
"tenant": "tenant_xyz",
"role": "manager",
"iat": 1736820000,
"exp": 1736906400
}
⚙️ Token Generation (Auth Server side)
Node.js Example (using jsonwebtoken):
import fs from 'fs';
import jwt from 'jsonwebtoken';
const privateKey = fs.readFileSync('./private.pem');
const payload = {
sub: "user_12345",
tenant: "tenant_001",
role: "admin"
};
const token = jwt.sign(payload, privateKey, {
algorithm: 'RS256',
expiresIn: '1h',
issuer: 'https://auth.mycompany.com'
});
console.log(token);
✅ Token Verification (API side)
import fs from 'fs';
import jwt from 'jsonwebtoken';
const publicKey = fs.readFileSync('./public.pem');
function verifyToken(token) {
try {
const decoded = jwt.verify(token, publicKey, { algorithms: ['RS256'] });
console.log('Valid token:', decoded);
// Access tenant and user
const { tenant, sub } = decoded;
console.log(`Tenant: ${tenant}, User: ${sub}`);
return decoded;
} catch (err) {
console.error('Invalid token:', err.message);
throw err;
}
}
๐ข Multi-Tenant Use Case
When handling multi-tenancy:
Each tenant may have its own namespace or role mapping.
You can enforce tenant isolation by validating that:
The token’s
tenantclaim matches the resource being accessed.The
sub(user) is authorized within that tenant’s context.
Example validation rule:
if (request.tenantId !== decoded.tenant) {
throw new Error('Tenant mismatch – access denied');
}
๐ Public Key Distribution (for RS256)
If multiple services verify tokens:
Host the public key (JWKS endpoint) at:
https://auth.mycompany.com/.well-known/jwks.jsonYour services fetch and cache the JWKS to verify tokens dynamically.
๐งฉ Summary
| Component | Purpose |
|---|---|
| RS256 | Asymmetric signing: private key signs, public key verifies |
| tenant claim | Identifies organization/account |
| user claim (sub) | Identifies individual user |
| role claim | Defines authorization level |
| JWKS endpoint | Distributes public keys for verification |
Would you like me to show a complete implementation (JWT issuing + verifying + role/tenant enforcement middleware) in a language of your choice (Node.js, Python, or Java)?
No comments:
Post a Comment