# Dgraph.Authorization
line at the bottom of the schema to specify how JWT
tokens present in the HTTP header requests are extracted, validated and used.
This line must start with the exact string # Dgraph.Authorization
and be at
the bottom of the schema file.
/graphql
endpoint add a
line starting with # Dgraph.Authorization
and with the following parameters at
the very end of your GraphQL schema.
The Dgraph.Authorization
object uses the following syntax:
Dgraph.Authorization
object contains the following parameters:
Header
name of the header field used by the client to send the token.
Dg-Auth
, X-Auth-Token
or Authorization
headers which are
used by Dgraph for other purposes.Namespace
is the key inside the JWT that contains the claims relevant to
Dgraph authorization.
Algo
is the JWT verification algorithm which can be either HS256
or
RS256
.
VerificationKey
is the string value of the key, with newlines replaced with
\n
and the key string wrapped in ""
:
VerificationKey
contains the public key
string.VerificationKey
is the secret
key.JWKURL
/JWKURLs
is the URL for the JSON Web Key sets. If you want to pass
multiple URLs, use JWKURLs
as an array of multiple JWK URLs for the JSON Web
Key sets. You can only use one authentication connection method, either JWT
(Header
), a single JWK URL, or multiple JWK URLs.
Audience
is used to verify the aud
field of a JWT, which is used by
certain providers to indicate the intended audience for the JWT. When doing
authentication with JWKURL
, this field is mandatory.
ClosedByDefault
, if set to true
, requires authorization for all requests
even if the GraphQL type doesn’t specify rules. If omitted, the default
setting is false
.
# Dgraph.Authorization
line is present in the GraphQL schema, Dgraph
uses the settings in that line to
# Dgraph.Authorization
line.
Dgraph.Authorization
is fully configurable to work with various authentication
providers. Authentication providers have options to configure how to generate
JWT tokens.
Here are some configuration examples.
JWT Templates
and create a template for
Dgraph.
Your template must have an aud
(audience), this is mandatory for Dgraph when
the token is verified using JWKURL.
Decide on a claim namespace and add the information you want to use in your RBAC
rules.
This example uses the https://dgraph.io/jwt/claims
namespace and is retrieving
the user current organization, role (Clerk has currently two roles admin
and
basic_member
) and email.
This is our JWT Template in Clerk:
X-Dgraph-AuthToken
is a header authorized by default by Dgraph GraphQL API to
pass CORS requirements.
X-My-App-Auth
header and authorization claims in
https://my.app.io/jwt/claims
namespace:
X-My-App-Auth
header and authorization claims in
https://my.app.io/jwt/claims
namespace:
header
is expected to be in one of the following forms:
Bearer
prefix (including
space)./graphql
endpoint with
an error message rejecting the operation similar to:
aud
value doesn’t match
with the audience”