gja commented :
Hi @emregency,
Thank you for the experience report. I wanted to ask a few questions to clarify exactly what you are looking for.
We currently have two types of authentication / authorization in our system
- ACLs - This allows you to set up rules for which users can access which data. However, the granularity of these rules is at the predicate level, and not at the individual records. As you’ve mentioned, this does work based on JWT. https://dgraph.io/docs/enterprise-features/#access-control-lists
- JWT Authorization for GraphQL - This is currently in beta, and will be available in 20.07. The JWT Authorization will allow you to set up Dgraph with an external public key for JWT signatures, then make arbitrary claims on the data that is queried / created by the GraphQL endpoint. More details here: GraphQL Authorisation
Does the JWT Authorization for GraphQL solve your use case? If you are looking for ACL, but have the IAM provider be a 3rd party, then would you be able to generate a JWT token in dgraph’s format, or do you think that dgraph should also support custom JWT? Finally, which client are you using (dgo / dgraph4j / etc…, or the Rest/GRPC endpoints directly)
Tejas