Once Roles have been assigned, the final step in the RBAC implementation is to evaluate and enforce the RBAC Policy every time a Member attempts to perform an action on a Resource.
With Stytch, you can simultaneously perform both an authentication and authorization in one step with our Authenticate Session endpoint.
To evaluate incoming requests, our Authenticate Session endpoint and equivalent SDK methods accept an authorization_check object where you can pass in the organization_id, resource_id, and action.
Stytch will then authenticate the Session and evaluate the Member’s Roles against your Project’s RBAC policy in order to determine whether they are authorized to take the action specified in the request. If the Member does not have a Role that grants them the needed permission, the Authenticate Session endpoint will return a 403 unauthorized error. If the Session is invalid, the endpoint will return a 404 session not found error.
SDK local evaluations
Our backend SDKs will automatically fetch and refresh your Project’s RBAC policy in the background. Additionally, Stytch will include an end user's Roles in their JWT by default. As a result, authorization evaluations can be done locally without incurring the additional latency of making an extra call to Stytch.
Changes to a Member’s Role will take effect on the next JWT refresh, which happens at five-minute intervals.
Stytch Resources and other endpoints
For requests that perform actions on Stytch default Resources by calling Stytch API endpoints like Update Organization, Update SAML Connection, or Invite Member, you can include the Member's Session in the headers of the request to perform an RBAC authorization check. Stytch will then check that the Member has the necessary permissions to perform the requested action upon the specific Stytch Resource. For example, to call the Update SAML Connection endpoint, the Member must have a Role that grants the update action on the stytch.sso Resource.
Contact us for more details on our upcoming RBAC release.Request early access