Hello! We have just started looking into Cerbos for our Authorization needs. I had one initial question how would you enforce Cerbos policies in the FE. Let’s say that you want to hide a certain feature in the FE based on a policy?

Hey @Carl Bäckström - the approach we see a lot is users returning permissions along with the data. On your API layer, when you fetch the resource and check permissions against Cerbos, check for all the actions a user could do on the screen and then return the list of allowed actions. In the FE then conditional enabled/render components based upon this. For more global things (features, sections of the app etc) either return the permissions when you fetch the user profile or have discreete permissions endpoint.

Alright returning the permissions with the data sounds good for ABAC like permissions and sounds pretty straightforward. For the other scenario do you have some sample code for this. Would this entail enriching the id token with this information and how could this be done? We are using Auth0 for our authentication needs.

Sure here is a demo app we have which has a

/me

route for fetching the current logged in user along with the features they have access toohttps://github.com/cerbos/demo-app-expenses/blob/main/server/src/routes.ts#L381

Intressting thankyou!