light-graphql-4j icon indicating copy to clipboard operation
light-graphql-4j copied to clipboard
verified publisher icon networknt

fine-grained authorization with JWT token

Open stevehu opened this issue 7 years ago • 3 comments

Unlike RESTful API, we have scope for each endpoint so that the authorization can be down to the endpoint. For GraphQL, there is only one endpoint with only two or three different type of requests. Need to find a way to protect individual query or mutation.

stevehu avatar Jan 04 '18 00:01 stevehu

Can you expose the request to the execution context so that DataFetchers gain access to the JWT token during a request and authorization is deferred to the business layer?

http://graphql-java.readthedocs.io/en/latest/concerns.html#context-objects

maarek avatar Apr 05 '18 04:04 maarek

Yes. That is a very good idea. In the light-rest-4j we pass the payload of JWT in an exchange attachment for fine-grained authorization in the business context. Let me explore it a little bit and propose something for further discussion. Thanks.

stevehu avatar Apr 05 '18 09:04 stevehu

I didn't realize that we already did this. I missed it when I commented last night. Thanks!

maarek avatar Apr 05 '18 19:04 maarek