Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorization directive docs #3449

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
c736346
Add sub-header for authentication and authorization
Meschreiber Jul 14, 2023
d537514
Restructure Authorization page
Meschreiber Jul 14, 2023
64e43e8
Copy edit `@authenticated` section
Meschreiber Jul 14, 2023
a92ddae
Copy edit `@requiredScopes` section
Meschreiber Jul 14, 2023
5e2d625
Copy edit "Authorization and `@key` types
Meschreiber Jul 14, 2023
2011701
Copy edit Interfaces
Meschreiber Jul 14, 2023
00f5896
Copy edits
Meschreiber Jul 14, 2023
1ffdfd3
Typo
Meschreiber Jul 15, 2023
03cbade
Add pre-req information
Meschreiber Jul 17, 2023
cc0b141
Remove nested headers
Meschreiber Jul 17, 2023
a7c5949
Remove unnecessary space
Meschreiber Jul 18, 2023
c6f3554
Copy edit
Meschreiber Jul 18, 2023
21f5a21
Apply suggestions from code review
Meschreiber Jul 20, 2023
d5c1b81
Merge branch 'ms/authorization-directives-docs' of https://github.com…
Meschreiber Jul 20, 2023
e006b24
Clarify that `requiredScopes` can also eliminate entire subgraph requ…
Meschreiber Jul 20, 2023
2dc22d2
Add authorization directives to list of router enterprise features
Meschreiber Jul 20, 2023
765c7f8
Update docs/source/configuration/authorization.mdx
Meschreiber Jul 28, 2023
1ff841f
Apply suggestions from code review
Meschreiber Aug 4, 2023
ce51ab0
Copy edits
Meschreiber Jul 21, 2023
d74bd61
Copy edits and add to-do sections
Meschreiber Aug 4, 2023
813e7a8
Copy edits
Meschreiber Aug 6, 2023
497f06b
Add to-dos
Meschreiber Aug 6, 2023
479961b
Update error message for completely filtered query
Meschreiber Aug 7, 2023
94b9282
Typo
Meschreiber Aug 7, 2023
a5ed4ab
Typo
Meschreiber Aug 7, 2023
5e2f3e1
Rewrite intro
Meschreiber Aug 8, 2023
d5ac253
Align code examples to demo
Meschreiber Aug 8, 2023
fa7ff60
Copy edits
Meschreiber Aug 8, 2023
8a3fa58
Remove links to demo
Meschreiber Aug 8, 2023
2ab7433
move the claim augmentation example
Geal Aug 9, 2023
31b22e9
Merge branch 'geal/authorization-directives' into ms/authorization-di…
Geal Aug 10, 2023
2791253
Update docs/source/configuration/authorization.mdx
Geal Aug 10, 2023
551f139
Merge branch 'geal/authorization-directives' into ms/authorization-di…
Geal Aug 11, 2023
141b84c
add documentation for
Geal Aug 11, 2023
9a5f0de
WiP: Rhai script to edit the claims
Geal Aug 11, 2023
77f5368
Use content components
Meschreiber Aug 11, 2023
3459afb
Copy edits
Meschreiber Aug 11, 2023
cb2b46f
Copy edit
Meschreiber Aug 11, 2023
84d1054
Update intro
Meschreiber Aug 11, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 0 additions & 45 deletions docs/source/configuration/authn-jwt.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -264,51 +264,6 @@ fn subgraph_service(service, subgraph) {

</ExpansionPanel>

### Claim augmentation via coprocessors

Tokens can come in with limited information, that is then used to look up user specific information like roles. This can be done with [coprocessors](/customizations/coprocessor).

<ExpansionPanel title="Click to expand">

The router level coprocessor is guaranteed to be called after the authentication plugin, so the coprocessor can receive the list of claims extracted from the token, use information like the `sub` (subject) claim to look up the user, insert its data in the claims list and return it to the router.

If the router is configured with:

```yaml title="router.yaml"
authentication:
router:
jwt:
jwks:
- url: "file:///etc/router/jwks.json"

coprocessor:
url: http://127.0.0.1:8081
router:
request:
context: true
```

The coprocessor will then receive a request with this format:

```json
{
"version": 1,
"stage": "RouterRequest",
"control": "continue",
"id": "d0a8245df0efe8aa38a80dba1147fb2e",
"context": {
"entries": {
"apollo_authentication::JWT::claims": {
"exp": 10000000000,
"sub": "457f6bb6-789c-4e8b-8560-f3943a09e72a"
}
}
},
"method": "POST"
}
```
</ExpansionPanel>

## Creating your own JWKS (advanced)

> ⚠️ **Most third-party IdP services create and host a JWKS for you.** If you use a third-party IdP, consult its documentation to obtain the [JWKS URL](#jwks) to pass to your router.
Expand Down
Loading