How to write @auth incase of user role claim in JWT has a array format

Users GraphQL
, , ,
#1

Hi there,

I have the following schema in dgraph

type Todo {
    id: ID!
    text: String! @search(by: [term])
    owner: String!
}

I wanted to implement Role-Based Access control (RBAC) using the JWT token. My sample JWT token with role looks like below

{
  "http://abc.xyz.com//roles": [
    "admin",
    "superadmin"
  ],
  "nickname": "abc",
  "name": "abc@gmail.com",
  "picture": "",
  "updated_at": "2020-09-08T12:59:14.801Z",
  "email": "abc@gmail.com",
  "email_verified": false,
  "iss": "https://xxx.us.auth0.com/"
}

I know that I have use @auth directive in the schema to implement the authorization in the schema. I case if my claim contains ā€œisAdminā€: ā€œtrueā€ claim, I can write @auth in the below format

type Todo @auth(
    delete: { rule:  "{$isAdmin: { eq: \"true\" } }" },
) {
    id: ID!
    text: String! @search(by: [term])
    owner: String!
}

But in the given JWT sample above roles are in the array format. My requirement is to allow delete only if the user role is ā€˜adminā€™ or ā€˜superadminā€™. My question here is how I write the @auth directive to check, in the above JWT whether the claim ā€œhttp://abc.xyz.com//rolesā€ contains ā€˜adminā€™ or ā€˜superadminā€™. Maybe I need to write rule using ā€œinā€ operator. But i donā€™t know how to do it. Can anybody help me to write @auth directive for my requirement? Thanks in advance.

The `@auth` directive - Graphql
#2

Hi @sarankrishna, I assume you have added the # Dgraph.Authorization ā€¦ line at the bottom of schema.

I donā€™t know how to do this. But please see if this helps. I have this JWT

"https://dgraph.io/jwt/claims": {
    "USER": "xxx@gmail.com",
    "ROLE": "ADMIN"
  },
  "given_name": "xxx",
  "family_name": "xx",
  "nickname": "xxx",
  "name": "xxx",

And I can use it in this way. Please see if you can do something similar.
Tagging @abhimanyusinghgaur if he can provide better way.

#3

Not currently possible using arrays in Role Based Access Control.

Here was a related discussion:

That was about Booleans, but arrays are not supported either. I know I saw that somewhere here in the forum, just canā€™t find it right now. It might have been when @gja initially walked me through it that I picked that up.

Anyways, the only way to accomplish this right now would be to convert that array to single properties:

{
  "http://abc.xyz.com//admin": "true",
  "http://abc.xyz.com//superadmin": "true",
  "nickname": "abc",
  "name": "abc@gmail.com",
  "picture": "",
  "updated_at": "2020-09-08T12:59:14.801Z",
  "email": "abc@gmail.com",
  "email_verified": false,
  "iss": "https://xxx.us.auth0.com/"
}

Not sure though that you were not trying to use http://abc.xyz.com//roles as the claims portion of your JWT. If that was the case then it would need to look like:

{
  "http://abc.xyz.com/claims": {
    "isAdmin": "true",
    "isSuperAdmin": "true",
  },
  "nickname": "abc",
  "name": "abc@gmail.com",
  "picture": "",
  "updated_at": "2020-09-08T12:59:14.801Z",
  "email": "abc@gmail.com",
  "email_verified": false,
  "iss": "https://xxx.us.auth0.com/"
}
2 Likes
#4

@Naman Thanks for the response. I already added # Dgraph.Authorization line in the bottom of the schema. But my question was how to write the query/add/delete/update condtion when JWT contains the arrary of roles.

#5

@amaster507 Thanks for the response. I did exactly the same as you mentioned above(2nd way).

#6

Currently, the only way to achieve this is to break the array into single values as @amaster507 mentioned. But we will add support for arrays in RBAC rule in the upcoming release.

1 Like