graphql-dotnet
Let .AddAuthorization work with PolicyProviders
When using .AddAuthorization it would be great that it would be able to access IAuthorizationPolicyProvider instead of having to add every Policy manually. Currently I don't think that's really possible , which makes it hard to dynamically set some new policies without registering them all beforehand.
or is that one of the limitations mentioned that it doesn't properly use the "Microsoft.AspNetCore.Authorization" features?
Yeah it’s supposed to be independent. Why don’t you try the authorization library included in GraphQL.Server.Transports.AspNetCore instead? It uses policies defined by ASP.Net Core and has a fuller feature set within GraphQL as well. Plus it’s pretty customizable if you need special behavior.
I looked into that and that's what im doing now. I wasn't quite sure where the boundaries of the Asp .NET auth features and GraphQL .NET were, but that makes sense. e.g. The "AuthorizationAttribute" is simply not a from the auth package but rather a GraphQL Attribute, which is what I got wrong, but hoped to extend easily
Sounds good. Check the docs at https://github.com/graphql-dotnet/server?tab=readme-ov-file#authorization-configuration for details on:
- configuration
- transport-level rules
- schema/type/field-level rules
- websocket auth
- auth schemes
- different auth for get vs post
- allowing anonymous auth for introspection or other fields