GraphQL.Authorization

GraphQL Authorization

A toolset for authorizing access to graph types for GraphQL.NET.

Provides the following packages:

Package	Downloads	NuGet Latest
GraphQL.Authorization

You can get all preview versions from GitHub Packages. Note that GitHub requires authentication to consume the feed. See here.

Usage

• Register the authorization classes in your DI container - call AddAuthorization on the provided IGraphQLBuilder inside AddGraphQL extension method.
• Provide the ClaimsPrincipal through ExecutionOptions.User.
• Add policies to the AuthorizationSettings.
• Apply a policy to a GraphType or Field - both implement IProvideMetadata:
  • using AuthorizeWithPolicy(string policy) extension method
  • or with AuthorizeAttribute attribute if using Schema + Handler syntax.
• The AuthorizationValidationRule will run and verify the policies based on the registered policies.
• You can write your own IAuthorizationRequirement.

Limitations

@skip and @include directives are ignored; all selected fields of the selected operation will be checked for authentication requirements, including referenced fragments. (Other operations in the same document will correctly be skipped.)

This authorization framework only supports policy-based authorization. It does not support role-based authorization, or the [AllowAnonymous] attribute/extension, or the [Authorize] attribute/extension indicating authorization is required but without specifying a policy. It also does not integrate with ASP.NET Core's authorization framework.

The GraphQL.Server repository contains an authorization rule which has the above missing features, intended for use with ASP.NET Core. It may also be tailored with custom authentication code if desired, rather than relying on ASP.NET Core's authentication framework.

Examples

• Fully functional basic Console sample.

• Fully functional ASP.NET Core sample.

• GraphType first syntax - use AuthorizeWithPolicy extension method on IGraphType or IFieldType.

public class MyType : ObjectGraphType
{
    public MyType()
    {
        this.AuthorizeWithPolicy("AdminPolicy");
        Field<StringGraphType>("name").AuthorizeWithPolicy("SomePolicy");
    }
}

• Schema first syntax - use AuthorizeAttribute attribute on type, method or property.

[Authorize("MyPolicy")]
public class MutationType
{
    [Authorize("AnotherPolicy")]
    public async Task<string> CreateSomething(MyInput input)
    {
        return await SomeMethodAsync(input);
    }

    [Authorize("SuperPolicy")]
    public string SomeProperty => Guid.NewGuid().ToString();
}

Known Issues

• It is currently not possible to add a policy to Input objects using Schema first approach.