We’re overhauling Dgraph’s docs to make them clearer and more approachable. If
you notice any issues during this transition or have suggestions, please
let us know.
@auth
directive.
To implement Role Based Access Control on GraphQL API operations :
- Ensure your have configured the GraphQL schema to Handle JWT tokens
using
# Dgraph.Authorization
This step is important to be able to use the JWT claims - Annotate the Types in the GraphQL schema with the
@auth
directive and specify conditions to be met forquery
,add
,update
ordelete
operations.
eq
or in
functions to test the value of a
JWT claim from the JWT token payload.
The claim value may be a string or array of strings.
For example the following schema has a @auth directive specifying that a delete
operation on a User object can only be done if the connected user has a ‘ROLE’
claim in the JWT token with the value “admin” :
rules combination
Rules can be combined with the logical connectivesand
, or
and not
. A
permission can be a mixture of graph traversals and role based rules.
In the todo app, you can express, for example, that you can delete a Todo
if
you are the author, or are the site admin.
claims
Rules may use claims from the namespace specified by the # Dgraph.Authorization or claims present at the root level of the JWT payload. For example, given the following JWT payloadhttps://xyz.io/jwt/claims
is declared as the namespace to use, the
authorization rules can use $ROLE
but also $email
.
In cases where the same claim is present in the namespace and at the root level,
the claim value in the namespace takes precedence.
@auth
on Interfaces
The rules provided inside the @auth
directive on an interface will be applied
as an AND
rule to those on the implementing types.
A type inherits the @auth
rules of all the implemented interfaces. The final
authorization rule is an AND
of the type’s @auth
rule and of all the
implemented interfaces.