How to handle Authorization in GraphQL servers?
Shall I pass the JWT token in the Authentication header of every requests and check for the authorized user after resolve() and check for the role of user on every query and mutation
Authorization in GraphQL servers
1.9k views Asked by parwatcodes At
1
There are 1 answers
Related Questions in AUTHORIZATION
- Add additional fields to Linq group by
- couldn't copy pdb file to another directory while consuming wcf web service
- Why are the aliases for string and object in lowercase?
- WPF MessageBox Cancel checkbox check
- Resolve object using DI container with object instance
- Creating a parametrized field name for a SELECT clause
- Does compiler optimize operation on const variable and literal const number?
- Get data from one form to another form in C#
- Writing/Overwriting to specific XML file from ASP.NET code behind
- Deleting Orphans with Fluent NHibernate
Related Questions in GRAPHQL
- Add additional fields to Linq group by
- couldn't copy pdb file to another directory while consuming wcf web service
- Why are the aliases for string and object in lowercase?
- WPF MessageBox Cancel checkbox check
- Resolve object using DI container with object instance
- Creating a parametrized field name for a SELECT clause
- Does compiler optimize operation on const variable and literal const number?
- Get data from one form to another form in C#
- Writing/Overwriting to specific XML file from ASP.NET code behind
- Deleting Orphans with Fluent NHibernate
Related Questions in RELAYJS
- Add additional fields to Linq group by
- couldn't copy pdb file to another directory while consuming wcf web service
- Why are the aliases for string and object in lowercase?
- WPF MessageBox Cancel checkbox check
- Resolve object using DI container with object instance
- Creating a parametrized field name for a SELECT clause
- Does compiler optimize operation on const variable and literal const number?
- Get data from one form to another form in C#
- Writing/Overwriting to specific XML file from ASP.NET code behind
- Deleting Orphans with Fluent NHibernate
Related Questions in GRAPHQL-JS
- Add additional fields to Linq group by
- couldn't copy pdb file to another directory while consuming wcf web service
- Why are the aliases for string and object in lowercase?
- WPF MessageBox Cancel checkbox check
- Resolve object using DI container with object instance
- Creating a parametrized field name for a SELECT clause
- Does compiler optimize operation on const variable and literal const number?
- Get data from one form to another form in C#
- Writing/Overwriting to specific XML file from ASP.NET code behind
- Deleting Orphans with Fluent NHibernate
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Popular Tags
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Introduction
First of all, a common approach for authentication as you state is using a signed JWT that contains the id of the user making the request.
Now let's have a look at the different parameters we can use when considering the authorization of a given request.
who is making the request?
determined by the user id mentioned above. More information about the requester like associated user roles can be looked up in the database. This means that we need to maintain a
Usertable if we are using SQL for example, and add new users to this table on registration.which operation should be executed?
users might be granted read-only access. Certain mutations or queries are only allowed for certain users.
which fields are included in the query/mutation response?
some fields should be only accessed by certain users.
Permissions
With this information in mind, we can come up with different permission systems. Most commonly, in such a system, no operation is allowed by default. When a request comes in, the parameters mentioned above can be matched with the existing permissions and if a matching permission is found, the request is granted.
Role-based permissions
In certain applications, a role-based approach works great. For example, for a simpler version of Stack Overflow, we could have the roles
EVERYONE,AUTHENTICATEDandMODERATOR. A sensible permission rule could be this:EVERYONEcan read questions/answersallQuestions,allAnswersqueriestextOther rules (leaving parameters out): *
AUTHENTICATEDusers can create new questions/answers *MODERATORusers can create new questions/answers *MODERATORusers can delete questions/answers.Now for example, if a non-authenticated requests comes in that asks for the
allQuestionsquery, that's fine as we find a permission that allows it (the first).If on the other hand an authenticated requests comes in for a user that doesn't have the
MODERATORrole and includes thedeleteQuestionmutation, there is no permission to be found for these parameters. So the request is rejected.Graph permissions
While role-based permissions represent a solid permission system already, they are not suited at all if we want to make granting permission dependant on things like the relation between the requester and the requested node. In our example, it would be quite the work to add the simple rule that any user is allowed to delete their own questions/answers.
At Graphcool, we have come up with a powerful yet rather simple approach that we call graph permissions to tackle this issue. Let's make the following additional parameters available when checking permissions:
which node is about to be accessed or modified?
determined by a node id
Then we can express permissions using a GraphQL query against a special permission schema to grant or reject permissions on a node level. Access to a given node is only given, if the permission query contains at least one leaf-node that is not
null.In our case, we could specify this permission query:
For a given node and user specified by GraphQL variables
$userIdand$nodeId, we use a query argumentfilterto either return an empty list if the node wasn't created by the current user, or something non-null otherwise.