Optional JWT Authorisation

bendechrai · May 20, 2021, 6:50am

Hey folks!

I have schema that includes Users and Groups. The relevant parts are:

type User {
  id: ID!
  sub: String! @id
  displayName: String!
}

type Group
  @auth(
    query: {
      or: [
        {
          rule: "query ($sub: String!) { queryGroup { owner(filter: { sub: {eq: $sub} }) { id } } }"
        }
        { rule: "query { queryGroup(filter: { public: true } ) { id } }" }
      ]
    }
  ) {
  id: ID!
  name: String!
  slug: String! @id
  public: Boolean @search
  owner: User!
}

# Dgraph.Authorization { "VerificationKey": "...", "Algo": "RS256", "Header": "X-Auth-Token", "Namespace": "https://example.com/jwt/claims",  "Audience": ["Auth0ClientID"], "ClosedByDefault": true }

What I’d like is for a query like:

{
  queryGroup {
    name
    slug
    public
    owner {
      displayName
    }
  }
}

to return all public groups, and if a JWT is provided, also the private groups that the current user owns.

When providing a valid JWT into the API Explorer, this works. When I don’t provide an JWT I’m told "message": "couldn't rewrite query queryGroup because a valid JWT is required but was not provided".

So it looks like the JWT is mandatory. What’s the best way to do this so I can have a public response to unauthenticated requests, and a response that includes the extra data when authentication passes?

Thanks in advance!
Ben

amaster507 · May 20, 2021, 5:23pm

What is your authorization line at the end of your schema (remove sensitive parts). I think you are probably using ClosedByDefault: true which

if set to true , requires authorization for all requests even if the type does not specify the @auth directive.

https://dgraph.io/docs/graphql/authorization/authorization-overview/

bendechrai · May 20, 2021, 6:49pm

Thanks Anthony,

I did have that set to true. When I read about that in the docs, I didn’t associate it with being specific to JWT authorisation. I thought it would be like the order deny,allow configuration from Apache, blocking all access unless any @auth directive matched.

Changing ClosedByDefault back to false fixes this.

I think it would still be good to have an option that blocks access by default, without reliance on JWTs, so will look into the best way of adding this as a feature request

Thanks again for your help!
B

Topic		Replies	Views
GraphQL RBAC without JWT roles! GraphQL	1	877	January 3, 2022
Authentication for querying a specific list of ID's GraphQL	1	317	August 14, 2020
Auth rule restricting tasks to be queried only by logged-in users prevents any tasks to be queried by anyone GraphQL kind:question	2	534	September 11, 2020
Authorization setup not preventing access (at least locally) GraphQL kind:question	8	644	January 25, 2022
Auth rules for arrays Dgraph Cloud kind:question , auth , dgraph	4	517	August 15, 2021

Optional JWT Authorisation

Related Topics