Generating JWT for authentication

Netlify allows you to control access to routes on a site according to roles in the visitor's JWT. AuthGuardian has built-in support for setting roles based on various criteria.

Netlify only supports shared-secret JWTs, so we'll have to set a JWT secret in both our Netlify site and our OneGraph app.

Note: If you're using OneGraph JWTs with other APIs like Hasura or node.js along with Netlify, you'll need to also change them to the same shared secret

Netlify's role-based access control may not be available on every account, be sure to ask their support if you're trying to use it - read more about it in their documentation.

Setting a shared secret on Netlify

In your site dashboard on Netlify,

1. Navigate to Settings -> Access Control -> Visitor access
2. Click Set JWT secret
3. Enter a sufficiently long password

Setting a shared secret on OneGraph

Now we'll have to set the same shared-secret in OneGraph so that the JWTs are signed for Netlify:

1. Navigate to your app, then Auth Services -> JWT Settings
2. Change Signature method to Shared secret
3. Enter the exact same password you used for Netlify

Note: Also be sure to add your Netlify site (and any custom domains) to the CORS list so users will be able to log in

Configure your Netlify roles in AuthGuardian

Using AuthGuardian, we can easily control access to our Netlify site.

Consider the following example:

I have a sales dashboard on my Netlify site at /sales, but it has sensitive data that I pull from the Salesforce API.

I only want members of my sales team to be able to access the sales dashboard

We can achieve that with simply:

And in our public/_redirects file we'll add the following restrictions:

/sales          200!    Role=admin
/sales  /login  401!

And that's it! Now anyone who tries to access /sales on our Netlify site must belong to our Salesforce organization!