Authorization
Authorization defines what actions a user can perform or which resources they can access after being authenticated, determining what they can do in your app.
Logto authorization service uses a token-based mechanism. While Logto provides access token
, your resource server is responsible for validating and enforcing them as part of access control.
There are two types of access tokens:
- Access tokens: Used to access user/system API resources.
- Organization tokens: Special access tokens for organization resources, used in a multi-tenant architecture when the organization feature is enabled.
Logto offers authorization services for various scenarios. Here are several typical use cases and you can choose the right one and match your requirements with Logto’s features and services.
Scenario | How to | Authorization flow |
---|---|---|
Simply protect your API resources, without RBAC. | Register your API in Logto Console, and Logto will simply grant access tokens | Logto grants access token (without permissions), and you need to validate these tokens to protect your API resources. |
Protect your API resources with RBAC | Register your API and apply RBAC for flexible, granular access control. | Logto grants access token with permission included to protect your API resources. |
Protect your organization resources using organization-level RBAC (organization template). | Treat each organization as a resource, using organization-level RBAC (organization template) for access control in a multi-tenant architecture. | Logto grants organization token with organization permission to protect organization-level resources. |
You can also use tools like custom token claims to include additional claims in access tokens to meet your custom technical requirements. Also more advanced use case: Protect your API resources using organization-level RBAC (organization template)
Get familiar with Role-based access control
Role-based access control is used throughout the entire Logto infrastructure, at both the system (Role-based access control) organization levels (organization RBAC):
- Subjects: These can be real users (or members in organization context) or non-human entities, like machine-to-machine apps.
- API resources: The resources within your system that need protection.
- Roles: Represent job functions or responsibilities.
- Permissions: Define what actions are authorized on specific resources.
Managing these entities and their relationships allows you to flexibly meet your access control needs. In Logto, you may use RBAC in two levels, user/systems level (no intermediate organization layer involved.), and organizations. In the organization context, it has an independent RBAC design we called it “Organization template”.
Features for authorization
Simply register API resources in Logto Console and protect your API resources.
Use role-based access control (RBAC) to manage user/system-level permissions for easier management and flexibility.
Use organization template (organization RBAC) to protect your resources. Ideal for multi-tenant products, with roles defined at the organization level.
Use custom token claims to add custom claims to implement attribute-based access control.
Related resources
RBAC and ABAC: The access control models you should know
Logto's authorization system and its use in identity management scenarios