Dgraph support Role Based Access Control (RBAC) on GraphQL API operations.
@auth
directive.
To implement Role Based Access Control on GraphQL API operations :
# Dgraph.Authorization
This step is important to be able to use the
JWT claims@auth
directive and
specify conditions to be met for query
, add
, update
or delete
operations.eq
or in
functions to test the value of a
JWT claim from the JWT token payload.
The claim value may be a string or array of strings.
For example the following schema has a @auth directive specifying that a delete
operation on a User object can only be done if the connected user has a ‘ROLE’
claim in the JWT token with the value “admin” :
and
, or
and not
. A
permission can be a mixture of graph traversals and role based rules.
In the todo app, you can express, for example, that you can delete a Todo
if
you are the author, or are the site admin.
https://xyz.io/jwt/claims
is declared as the namespace to use, the
authorization rules can use $ROLE
but also $email
.
In cases where the same claim is present in the namespace and at the root level,
the claim value in the namespace takes precedence.
@auth
on Interfaces@auth
directive on an interface will be applied
as an AND
rule to those on the implementing types.
A type inherits the @auth
rules of all the implemented interfaces. The final
authorization rule is an AND
of the type’s @auth
rule and of all the
implemented interfaces.