Authorization in GraphQL¶
Suite Authorization acts on top of Hot Chocolate authorization providing a custom implementation that integrates with Rbac, which acts as authority for the entire Suite ecosystem.
Overview¶
Suite Authorization is enforced at the gateway tier after authentication flow is
completed. By default, all Bff generated through template will depend on
GraphQLGatewayModule and therefore they will properly configure the
authorization middleware.
Important
Only types exposed in graphql extension files are fit for authorization support. If you want to restrict access to your query or mutation by using Suite Authorization, it is required to be explicitly exposed to the corresponding federation.
Usage¶
Authorization can be enforced through the @suiteAuthorize directive. In order
to do so, you can add the directive in your graphql extension file.
| GraphQL | |
|---|---|
Do note that the directive has some implications regarding its usage:
- Directive can be applied over types or fields.
- Specifying no permissions as argument, it will only enforce authentication.
- It can receive many permissions as argument. A user only has to meet one of the specified permissions in order to access the resource.
- If more than one permission must be met, the directive can be repeated (once for each required permission).
@suiteAuthorize directive is based in HC @authorize directive and therefore
supports a similar behavior. Check
Hot Chocolate usage documentation
for further details on how to implement the directive in each scenario.
Validation¶
The authorization middleware will retrieve the current user id (if any) and the delegate the decision to a resolver. We'll need to register Rbac resolver in our bff by depending on Rbac Authorization module.
| C# | |
|---|---|
Tutorial¶
For a better understanding on how to implement Suite Authorization, please check
the
Authorization section
in our Equipments Service tutorial.