Skip to content

Commit

Permalink
docs: fix typo
Browse files Browse the repository at this point in the history 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
  • Loading branch information
Pat Losoponkul committed Jan 3, 2024
1 parent aa4b86e commit d62cad6
Showing 1 changed file with 7 additions and 7 deletions.
14 changes: 7 additions & 7 deletions docs/decisions/20240103-use-jwt-claims-for-agent-admin-auth.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ Integrating an auth model to distinguish between admins and tenants presents a n

In this option, the `ClientRole` is configured at the client level,
and the user is mapped to the `ClientRole` using a role mapper.
The role claim will be available in the JWT token at `resource_acces.<client_id>.roles`.
The role claim will be available in the JWT token at `resource_access.<client_id>.roles`.

2. Use `RealmRole` for defining roles in Keycloak

Expand Down Expand Up @@ -103,10 +103,10 @@ Example JWT payload containing `ClientRole`. (Some claims are omitted for readab
}
}
```
The claim is available at `resource_access`.<client_id>.roles` by default.
The claim is available at `resource_access.<client_id>.roles` by default.
This is only a convention, not the standard.
The path to the claim should be configurable by the agent to avoid vendor lock.
The agent checks the token to see if it contains the role `agent-admin,
The agent checks the token to see if it contains the role `agent-admin`,
then allows the admin-related operations to be performed.

After introducing the role claim, there will be two distinct access control concepts.
Expand All @@ -116,13 +116,13 @@ After introducing the role claim, there will be two distinct access control conc
For instance, Alice can update a DID but not deactivate a DID on wallet#1.

2. Agent role, which manages agent-level permissions.
For example, Alice is an admin for agent #1 and can onboard new tenants,
but this authority doesn't extend to agent #2.
For example, Alice is an admin for agent #1 and can onboard new tenants,
but this authority doesn't extend to agent #2.

### Positive Consequences

- Naturally align the boundary of the admin role per agent instance
- Minimal configuration to include the claims
- Naturally align the boundary of the agent-level role per agent instance
- Ready to use abstraction, minimal configuration to use and include the claim
- Token can be reused across clients, enabling SSO use case
- Keep the wallet access and agent-level role separated

Expand Down

0 comments on commit d62cad6

Please sign in to comment.