Skip to content
/ authorization Public

A toolset for authorizing access to graph types for GraphQL .NET.

License

MIT license
158 stars 38 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

graphql-dotnet/authorization

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

151 Commits
.github
.github
 
 
.vscode
.vscode
 
 
assets
assets
 
 
codeql
codeql
 
 
src
src
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 

Repository files navigation

GraphQL Authorization

License codecov Nuget Nuget GitHub Release Date GitHub commits since latest release (by date) Size

GitHub contributors Activity Activity Activity

A toolset for authorizing access to graph types for GraphQL.NET.

Provides the following packages:

Package Downloads NuGet Latest
GraphQL.Authorization Nuget Nuget

You can get all preview versions from GitHub Packages. Note that GitHub requires authentication to consume the feed. See here.

Usage

  • Register the authorization classes in your DI container - call AddAuthorization on the provided IGraphQLBuilder inside AddGraphQL extension method.
  • Provide the ClaimsPrincipal through ExecutionOptions.User.
  • Add policies to the AuthorizationSettings.
  • Apply a policy to a GraphType or Field - both implement IProvideMetadata:
    • using AuthorizeWithPolicy(string policy) extension method
    • or with AuthorizeAttribute attribute if using Schema + Handler syntax.
  • The AuthorizationValidationRule will run and verify the policies based on the registered policies.
  • You can write your own IAuthorizationRequirement.

Limitations

@skip and @include directives are ignored; all selected fields of the selected operation will be checked for authentication requirements, including referenced fragments. (Other operations in the same document will correctly be skipped.)

This authorization framework only supports policy-based authorization. It does not support role-based authorization, or the [AllowAnonymous] attribute/extension, or the [Authorize] attribute/extension indicating authorization is required but without specifying a policy. It also does not integrate with ASP.NET Core's authorization framework.

The GraphQL.Server repository contains an authorization rule which has the above missing features, intended for use with ASP.NET Core. It may also be tailored with custom authentication code if desired, rather than relying on ASP.NET Core's authentication framework.

Examples

  1. Fully functional basic Console sample.

  2. Fully functional ASP.NET Core sample.

  3. GraphType first syntax - use AuthorizeWithPolicy extension method on IGraphType or IFieldType.

public class MyType : ObjectGraphType
{
    public MyType()
    {
        this.AuthorizeWithPolicy("AdminPolicy");
        Field<StringGraphType>("name").AuthorizeWithPolicy("SomePolicy");
    }
}
  1. Schema first syntax - use AuthorizeAttribute attribute on type, method or property.
[Authorize("MyPolicy")]
public class MutationType
{
    [Authorize("AnotherPolicy")]
    public async Task<string> CreateSomething(MyInput input)
    {
        return await SomeMethodAsync(input);
    }

    [Authorize("SuperPolicy")]
    public string SomeProperty => Guid.NewGuid().ToString();
}

Known Issues

  • It is currently not possible to add a policy to Input objects using Schema first approach.

About

A toolset for authorizing access to graph types for GraphQL .NET.

Topics

graphql authorization

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

158 stars

Watchers

13 watching

Forks

38 forks
Report repository

Releases 10

Version 8.0.0 Latest
Aug 22, 2024
+ 9 releases

Sponsor this project

Packages

 
 
 

Contributors 10

Languages