Permit.io and Authentication
This guide provides a comprehensive overview of authentication and authorization with Permit.io, covering everything from basic concepts to implementation details. Feel free to use it as a complete reference or jump to specific sections that are relevant to your needs.
- Authentication establishes identity; Authorization defines access.
- Permit.io seamlessly integrates with any Authentication provider to enforce granular access control.
- Choose the right role management approach: Authentication-managed, Permit.io-managed, or hybrid.
- Use
syncUser()post-authentication to ensure real-time updates. - Permit.io Supports SCIM, API-based sync, JWT attribute passing, and dynamic direct policy checks.
Authentication & Authorization — Better Together
Authentication (AuthN) is the process of verifying user identity—confirming users are who they claim to be through credentials, Single Sign-On (SSO), or multi-factor authentication (MFA).
Authorization (AuthZ) determines what authenticated users can do within your application. While authentication establishes identity, authorization controls access based on that identity.
A secure system requires both working in harmony:
- Authentication verifies identity but doesn't define permissions
- Authorization enforces permissions but requires verified identities
- Together, they create a complete security model
Permit.io bridges these systems by seamlessly integrating with any authentication provider you already use, while adding powerful, policy-driven authorization that scales with your application.
Integrating AuthN with Permit.io
After completing AuthN there must be a handoff to AuthZ. Permit.io facilitates this transition by ensuring that the authorization system has the most up-to-date user and role information at all times.
To achieve this, there are multiple ways to sync user data between AuthN and AuthZ:
Live & In-Line Sync:
- After authentication, call
syncUser()to update Permit.io with the latest user attributes and roles. - Alternatively, pass the JWT payload as attributes in
permit.check()to dynamically include user details in access decisions.
- After authentication, call
Pre-Sync (Backend Sync):
- Use Permit.io's API to pre-sync user data before authorization checks occur.
- Automate user and role provisioning with SCIM to keep authorization aligned with identity provider updates.
Permit.io recommends using syncUser() immediately after AuthN for most architectures. However, depending on how roles are assigned and managed, other strategies may be more appropriate. Whether you use a live sync approach, backend synchronization, or a combination of both, Permit.io ensures your AuthZ policies remain accurate and up-to-date.
When it comes to AuthN, Permit.io provides the flexability to:
- Connect to any existing authentication provider utilizing the concept of "the handoff point"
- Synchronize users and roles via SCIM or API
Authentication Integration
Permit.io is designed to integrate seamlessly with any authentication solution you already use or plan to implement. Our authorization layer works independently of your authentication choice, giving you complete flexibility.
Popular Authentication Integrations: Below are guides for common authentication solutions:
Compatible with All Authentication Standards:
- OAuth 2.0
- OpenID Connect (OIDC)
- SAML
- WS-Fed
- Headers
- mTLS
Universal Compatibility: Whether you use a commercial identity provider, an open-source solution, or a custom authentication system, Permit.io's authorization layer will integrate with it through our flexible handoff mechanisms.
Choosing the Right Approach for AuthN-Managed Roles
Authentication verifies identity, but where should roles and policies be managed?
Permit.io offers multiple approaches to role management, each with its own benefits depending on your needs.
Approach 1: AuthN-Managed Roles (IdP-Managed)
- Best For: Centralized enterprise access, SCIM-based role provisioning
- How It Works: Roles are assigned in an identity provider (IdP) and synced with Permit.io for enforcement.
- Pros: Simplifies role assignment with centralized IT management.
- Cons: Limited flexibility for dynamic permissions, no support for ReBAC.
Approach 2: Application-Managed Roles (Permit.io-Managed)
- Best For: Multi-tenant SaaS apps, dynamic access control
- How It Works: Roles are created and managed within Permit.io, allowing for granular, flexible access control.
- Pros: Supports dynamic and contextual access control, ReBAC, and custom role management.
- Cons: Requires user sync and structured role assignment.
Approach 3: Hybrid AuthN & Permit.io Role Management
- Best For: Organizations that need both centralized role management and flexible application-level access control.
- How It Works: IT manages high-level roles in the IdP, while Permit.io refines access with fine-grained policies.
- Pros: Combines IT governance with application-specific control.
- Cons: Requires clear role handoff mechanisms between IT and application owners.
How AuthN & Permit.io Work Together
User Logs In
Identity Provider (IdP) or authentication system authenticates the user.
Permit.io Syncs User Info
Users & roles are synced via syncUser() to keep AuthZ policy data up-to-date.
Permit.io Applies Policy Enforcement
Decisions are based on roles, attributes, and relationships.
Access is Granted or Denied
Enforcement happens via a Permit.io SDK, API Gateways AuthZ integration, or direct PDP API call.
Why This Works
- Clearly separates AuthN vs. AuthZ responsibilities.
- Helps teams choose the best role management approach for their needs.
- Provides an overview while linking to deeper, technical content.
- Ensures alignment with SCIM-based provisioning, API-based sync, and dynamic role assignment.