Generating JWT for authentication
Netlify allows you to control access to routes on a site according to roles in the visitor's JWT. AuthGuardian has built-in support for setting roles based on various criteria.
Netlify only supports shared-secret JWTs, so we'll have to set a JWT secret in both our Netlify site and our OneGraph app.
Note: If you're using OneGraph JWTs with other APIs like Hasura or node.js along with Netlify, you'll need to also change them to the same shared secret
Netlify's role-based access control may not be available on every account, be sure to ask their support if you're trying to use it - read more about it in their documentation.
Setting a shared secret on Netlify
In your site dashboard on Netlify,
- Navigate to
Settings -> Access Control -> Visitor access
- Click
Set JWT secret
- Enter a sufficiently long password
Setting a shared secret on OneGraph
Now we'll have to set the same shared-secret in OneGraph so that the JWTs are signed for Netlify:
- Navigate to your app, then
Auth Services -> JWT Settings
- Change
Signature method
toShared secret
- Enter the exact same password you used for Netlify
Note: Also be sure to add your Netlify site (and any custom domains) to the CORS list so users will be able to log in
Configure your Netlify roles in AuthGuardian
Using AuthGuardian, we can easily control access to our Netlify site.
Consider the following example:
I have a sales dashboard on my Netlify site at
/sales
, but it has sensitive data that I pull from the Salesforce API.I only want members of my sales team to be able to access the sales dashboard
We can achieve that with simply:
And in our public/_redirects
file we'll add the following restrictions:
/sales 200! Role=admin
/sales /login 401!
And that's it! Now anyone who tries to access /sales
on our Netlify site must belong to our Salesforce organization!