Thanks, this seems to be exactly what we were looking for. Much better than creating a temporary user.
We'll use Amps to assign the xdmp:login privilege to the JWT checking code. The session is not needed, we'll check the JWT each time. Thanks, Andreas 2017-09-18 15:27 GMT+02:00 Jason Hunter <[email protected]>: > Great, so make sure those role names map to those held in MarkLogic and > then you can use xdmp:login. Notice how xdmp:login accepts a $role-names > sequence of roles you want the user to have after logging in. It was added > for just this use case. You just need a single weak user that everybody > can login as, with the user's power coming from the roles passed in there. > > The code checking the JWT and doing the login needs to have the xdmp:login > privilege. You may or may not want to set the session. With JWT probably > not. I'd check the token on each go so you can use the JWT's precise time > of expiration. > > -jh- > > On Sep 18, 2017, at 21:12, Andreas Hubmer <[email protected]> > wrote: > > It is possible to add authorization information (roles) to the JWT. > Example: > { > "iss": "...", > "sub": "...", > "exp": ..., > "iat": ..., > "jti": "...", > "ver": "0.1", > "idp": "..", > "name": "Doe", > "firstName":"John", > "email":"[email protected]", > "roles": ["role1", "role2"] > } > > > > 2017-09-18 14:59 GMT+02:00 Jason Hunter <[email protected]>: > >> I understand that JWT will provide for authentication. How do you intend >> to do authorization? >> >> Meaning, how do you intend to know what roles the username given in the >> JWT should have within MarkLogic? Or do all authenticated users get the >> same roles, or something? >> >> -jh- >> >> On Sep 18, 2017, at 15:07, Andreas Hubmer <[email protected]> >> wrote: >> >> Justin, >> >> I'll answer for my colleague. >> We'd like to use JSON Web Tokens (JWT) and extract the user roles from >> the token. >> The users are managed in an external system and similar to the LDAP >> connection we want to avoid that every user has to be created/updated in >> MarkLogic too. >> >> Amps do not give the same flexibility as a temporary user with an >> arbitrary combination of roles. >> >> Thanks, >> Andreas >> >> 2017-09-15 17:50 GMT+02:00 Justin Makeig <[email protected]>: >> >>> Andreas, >>> Rather than describe your solution, can you explain the problem you’re >>> trying to solve? Why do you think you need a temporary user? What >>> permission/privilege challenge are you trying to address? >>> >>> You might also take a look at amps <https://docs.marklogic.com/gu >>> ide/admin/security#id_81246>. An amp allows a security administrator to >>> elevate the privileges of a specific function. This is beneficial in that >>> the security is defined in configuration, not code. >>> >>> Justin >>> >>> >>> -- >>> Justin Makeig >>> Senior Director, Product Management >>> MarkLogic >>> [email protected] >>> >>> >>> >>> > On Sep 15, 2017, at 4:29 AM, Andreas Holzgethan < >>> [email protected]> wrote: >>> > >>> > Hi @all, >>> > >>> > I need the possibility to create temporary user for a transaction. >>> > I just found in the documentation that such a functionality is used >>> when for example LDAP is configured as an external security. >>> > >>> > Could you please explain me how this is done there? >>> > >>> > My thirst thought was to create a user with the function >>> "sec:create-user-with-role". At the end of the transaction I would just >>> call the function "sec:remove-user". >>> > Could you please give me feedback about this implementation? >>> > Is such a implementation a big influence on the performance? >>> > >>> > Thanks! >>> > >>> > Best regards >>> > Andreas Holzgethan >>> > >>> >>
_______________________________________________ General mailing list [email protected] Manage your subscription at: http://developer.marklogic.com/mailman/listinfo/general
