Authentication when frontend directly makes permission checks to SpiceDB

[andyren0110]

The context is that we're considering to have the frontend checking permissions and decide whether to render certain components or enable/disable certain components. I guess I cannot share the pre-shared grpc secret with the frontend.

Our existing frontend authenticates with backend using JWT token. I'm trying to see if it's possible to add a custom intercepter to the SpiceDB gRPC server to authenticate requests using JWT token. If it's possible to plug in an interceptor, I could make SpiceDB to also recognize the user and authenticates the user's call originating from the frontend.

But if not, I'll have to have a component somewhere in our system that verifies the JWT token, and pass through the permission check using the pre-shared gprc secret.

Any advice would be greatly appreciated!

[vroldanbet]

👋🏻 Out of the box you won't be able to pass a JWT. The only option is a preshared key in OSS SpiceDB.

However, if you are willing to build your own SpiceDB, you could add a gRPC middleware that replaces the preshared key middleware to authenticate with JWTs. You can add any custom logic there.

Now if you plan to use JWT claims to feed into the API request payload (e.g. the subject of a CheckPermission call) that would be more involved, but would require some further customization of SpiceDB code.

[jzelinskie]

There are also integrations with API Gateways and Load Balancers like Envoy that can handle the JWT and perform a request to SpiceDB on your behalf. The Awesome SpiceDB List has a few examples.