smallrye-graphql icon indicating copy to clipboard operation
smallrye-graphql copied to clipboard
verified publisher icon smallrye

Schema: Integrate with Jakarta Security (`@RolesAllowed`, etc.)

Open t1 opened this issue 4 years ago • 3 comments

E.g. a @RolesAllowed("admin") can prevent a client from actually using a query, mutation, subscription, or field. Then it shouldn't be in the schema, and trying to use it should create an error response as if it's not there.

t1 avatar Jun 03 '21 03:06 t1

This would mean we need "Dynamic" schemas, not just one. So we need to create a schema per role ... something like that. It also means the schema resource needs to become authorized (or at least some of them). We have spoken about this before. I am not sure it's worth the effort. Looking a JAX-RS, you can not do it there...

phillip-kruger avatar Jun 04 '21 08:06 phillip-kruger

B.t.w during Runtime, this is supported. Here we only talk about the schema.

phillip-kruger avatar Jun 04 '21 08:06 phillip-kruger

Yes, this is only about the schema. Maybe we can filter the schema? My first idea had been to use directives to document the roles required, but filtering is just so much better.

And the fact that MP OpenApi doesn't support it doesn't mean there's no need for it ;-)

t1 avatar Jun 04 '21 16:06 t1