graphql-platform
graphql-platform copied to clipboard
ChilliCream
Unable to authorize using two authorization schemes
Is there an existing issue for this?
- [X] I have searched the existing issues
Describe the bug
We have a requirement to be able to authorize a request to our GraphQL/HC API using a bearer token or API key while also allowing anonymous calls for introspection. Up until a week or two ago we were able to accomplish this using the below set up in Program.cs. Our settings were based on a Stackoverflow answer on the topic (link below):
Link: https://stackoverflow.com/questions/61157111/specifying-an-authentication-scheme-for-a-single-route-thats-handled-by-middlew
Code (Program.cs):
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute("default", "{controller=User}/{action=Index}/{id?}");
endpoints
.MapGraphQL()
.RequireAuthorization(new AuthorizeAttribute
{
AuthenticationSchemes = "Bearer,ApiKey"
})
.AllowAnonymous()
.WithOptions(new GraphQLServerOptions
{
EnableGetRequests = false
});
endpoints.MapGraphQLVoyager("/voyager");
endpoints.MapGraphQLGraphiQL("/graphiql");
});
This did not make much sense to me since I am globally requiring authorization then allowing anonymous but this worked for months so I left it. Now, the above set up allows me to authorize using a bearer token or api key but is also requiring authorization on introspection calls. We need introspection to allow anonymous calls to allow our Angular app to use it for code generation.
My first thought to fix is this was to remove the "RequireAuthorization" settings above and specify multiple authorization schemes within our individual Authorization attributes but I do not see a way to do this. Based on my research, the only way to specify multiple authorization schemes within GraphQL/HC is the above set up.
Steps to reproduce
- Use the settings specified in the description of this bug.
- Try to use the introspection call to generate schema
- Get an unauthorized error instead of being able to use the introspection call anonymously.
Relevant log output
No response
Additional Context?
I have also tried to different endpoint configuration combinations (as suggested in current documentation) to require authorization on GraphQL https calls but not Banana Cake Pop endpoints without any success.
Our current work around is to comment out the "RequireAuthorization" settings. This allows us to still authorize using a bearer token on calls with the [Authorize] attribute and use introspection anonymously. This set up does not allow us to authorize using an api key.
I am by no means a GraphQL/HotChocolate expert so any help finding a solution would be greatly appreciated! Thanks.
Product
Hot Chocolate
Version
12.12.1
I had the same issue. I've created a policy of two authorization schemes and use it in global authorization:
app.MapGraphQL().RequireAuthorization("CustomPolicy");
I don't know why using attributes didn't work for me.
