https://cerbos.dev logo
Title
c

Carl Bäckström

02/21/2023, 3:43 PM
Hello! We have just started looking into Cerbos for our Authorization needs. I had one initial question how would you enforce Cerbos policies in the FE. Let’s say that you want to hide a certain feature in the FE based on a policy?
a

Alex Olivier (Cerbos)

02/21/2023, 5:54 PM
Hey @Carl Bäckström - the approach we see a lot is users returning permissions along with the data. On your API layer, when you fetch the resource and check permissions against Cerbos, check for all the actions a user could do on the screen and then return the list of allowed actions. In the FE then conditional enabled/render components based upon this. For more global things (features, sections of the app etc) either return the permissions when you fetch the user profile or have discreete permissions endpoint.
c

Carl Bäckström

02/22/2023, 9:06 AM
Alright returning the permissions with the data sounds good for ABAC like permissions and sounds pretty straightforward. For the other scenario do you have some sample code for this. Would this entail enriching the id token with this information and how could this be done? We are using Auth0 for our authentication needs.
a

Alex Olivier (Cerbos)

02/22/2023, 9:16 AM
Sure here is a demo app we have which has a
/me
route for fetching the current logged in user along with the features they have access toohttps://github.com/cerbos/demo-app-expenses/blob/main/server/src/routes.ts#L381
c

Carl Bäckström

02/22/2023, 9:18 AM
Intressting thankyou!