Remote Authorization Hooks

  1. What is the recommend graphql client for Golang?

  2. When will the @auth directive support remote queries for authorization as an alternative to jwt w/ custom claims?

  3. Are there any customers using DGraph for time-series data (i.e. an alternative to InfluxDB)?

Here is our setup in a nutshell. We have a @custom Mutation that we take a username and pass and hit a lambda function. The lambda function hits back at the dgraph graphql endpoint to find a matched user. If there is a matched user then the lambda function generates the JWT and sends it back as the response.

After Authenticating, and getting a JWT, the user then adds this to the header (our UI does this on the user’s behalf) and then we compare it to rules which can be graphql queries or just static value compare rules.

If the JWT expires graphql will throw an error which will have to be handled by the UI to prompt a new login.

If every query/mutation required a remote query then every query/mutation would need the full user credentials which is definitely not secure.

2 Likes

Thank you for sharing this. If I understood correctly, you’re handling authentication externally, but still using rules/queries in the @auth directive to make access control decisions, right?

What I’m wondering is how to handle authorization externally, meaning having SlashQL query my service for an access allowed/denied decision as opposed to using custom claims and queries in the @auth directive.

From my understanding this would cripple speed of authorization. As authorization rules have to run on every request. I think with upcoming Implement custom JS resolvers in GraphQL you could do a fetch to an external source on a pre hook using the JWT. But again, that requires more network traffic and latency which does slow down the entire chain.

1 Like

True but by colocating we can keep added latency < 100ms for a very high percentile. We already have an sidecar model for authorization across all of our services and we’re hoping to achieve the same w/ SlashQL

Hi @vinniefg,

Thanks fro the question. I’m answering the part about the Remote Authorization here.

We do have this on our roadmap. The way this would work is that you would be able to configure a remote hook in your GraphQL endpoint, and we’d forward relevant request headers to that endpoint. Whatever JSON is returned by that endpoint is interpreted as custom claims.

I don’t have a specific. timeline for this, but we are working on this, and it should be ready sometime in Q4 of this year.

Tejas

1 Like

@gja Thanks for following up - if you guys could bump priority that’d be great - also, can the query/request body be forwarded as well?

1 Like

@gja any update on the roadmap? Do you guys have a target launch date for this already? What about some alpha/beta documentation on how this will work/how to implemented?

1 Like

Hi, I would also be interested in this. I had plans using Ory Keto as authorization server, but need remote hooks for that. I see it’s on the roadmap, but what is the current state?

Also I’m unsure about the implementation details by @gja. Are there any further plans somewhere?

I would also like to add, I’m not sure I’m capable of doing so, but if there are concrete plans, I could try to contribute such a feature.

1 Like