Optional JWT Authorisation

bendechrai · May 20, 2021, 6:50am

Hey folks!

I have schema that includes Users and Groups. The relevant parts are:

type User {
  id: ID!
  sub: String! @id
  displayName: String!
}

type Group
  @auth(
    query: {
      or: [
        {
          rule: "query ($sub: String!) { queryGroup { owner(filter: { sub: {eq: $sub} }) { id } } }"
        }
        { rule: "query { queryGroup(filter: { public: true } ) { id } }" }
      ]
    }
  ) {
  id: ID!
  name: String!
  slug: String! @id
  public: Boolean @search
  owner: User!
}

# Dgraph.Authorization { "VerificationKey": "...", "Algo": "RS256", "Header": "X-Auth-Token", "Namespace": "https://example.com/jwt/claims",  "Audience": ["Auth0ClientID"], "ClosedByDefault": true }

What I’d like is for a query like:

{
  queryGroup {
    name
    slug
    public
    owner {
      displayName
    }
  }
}

to return all public groups, and if a JWT is provided, also the private groups that the current user owns.

When providing a valid JWT into the API Explorer, this works. When I don’t provide an JWT I’m told "message": "couldn't rewrite query queryGroup because a valid JWT is required but was not provided".

So it looks like the JWT is mandatory. What’s the best way to do this so I can have a public response to unauthenticated requests, and a response that includes the extra data when authentication passes?

Thanks in advance!
Ben

amaster507 · May 20, 2021, 5:23pm

What is your authorization line at the end of your schema (remove sensitive parts). I think you are probably using ClosedByDefault: true which

if set to true , requires authorization for all requests even if the type does not specify the @auth directive.

https://dgraph.io/docs/graphql/authorization/authorization-overview/

bendechrai · May 20, 2021, 6:49pm

Thanks Anthony,

I did have that set to true. When I read about that in the docs, I didn’t associate it with being specific to JWT authorisation. I thought it would be like the order deny,allow configuration from Apache, blocking all access unless any @auth directive matched.

Changing ClosedByDefault back to false fixes this.

I think it would still be good to have an option that blocks access by default, without reliance on JWTs, so will look into the best way of adding this as a feature request

Thanks again for your help!
B

Topic		Replies	Views
GraphQL Authorisation GraphQL graphql	6	999	June 11, 2020
Help with Auth rule for graphql GraphQL kind:question	1	325	March 11, 2021
The `@auth` directive - Graphql Documentation	13	2537	December 12, 2020
Overview - Graphql Documentation	4	890	February 1, 2021
Putting it All Together - Dgraph Authentication, Authorization, and Granular Access Control (PART 2) - Dgraph Blog Blog	12	1613	January 15, 2022

Optional JWT Authorisation

Related topics