New feature: machine-to-machine role-based access control
Role-based access control (RBAC) now extends to machine-to-machine apps. This update allows you to effectively manage permissions for your machine-to-machine apps using the same approach for user authorization.
Note
If you have switched on the "Enable admin access" toggle for machine-to-machine apps, it has been retired in favor of a new "Management API access" role; if you haven't enabled it, a new role with Management API permissions is needed to access the Logto Management API. See 🚝 Interact with Management API to learn more.
Starting today, when you create a new role, you can select either a "user role" or a "machine-to-machine app role" by expanding more options. All existing roles have automatically been converted to "user roles".
Constraints
- After creating a role, you cannot modify its type.
- The Logto Management API resource can only be accessed by machine-to-machine application roles.
Management API updates
Added APIs
Applications
POST /applications/:appId/rolesassigns role(s) to the M2M applicationDELETE /applications/:appId/roles/:roleIddeletes the role from the M2M applicationGET /applications/:appId/roleslists all roles assigned to the M2M application
Roles
POST /roles/:roleId/applicationsassigns the role to multiple M2M applicationsDELETE /roles/:roleId/applications/:appIdremoves the M2M application assigned to the roleGET /roles/:roleId/applicationslists all M2M applications granted with the role
Updated APIs
Roles
POST /rolesto specify the role type (eitheruserormachine-to-machinerole)
Users
POST /users/:userId/rolesto prevent assigning M2M roles to end-users
Support roles scope for issuing the roles claim in ID tokens
When you include the roles in the scope parameter of the Logto SDK config (or manually append to the OpenID Connect auth request), the ID token will include a roles claim containing an array of the user's roles. This may resolve #3411.
Security update
If an identifier (username, email, or phone number) experiences five authentication failures within an hour, it will be temporarily blocked from the authentication process for ten minutes.