This repository demonstrates how to use JWT authentication in the Router with the @requiresScopes directive when the JWT uses the standard scope JWT claim which is typical in a OAuth or OIDC environment.
Note: To run this example, you will need a GraphOS Enterprise plan and must create
/router/.envbased on/router/.env.examplewhich exportsAPOLLO_KEYandAPOLLO_GRAPH_REF.
- Run the subgraph from the
/subgraphdirectory withnpm run dev - Run the auth-service from the
/auth-servicedirectory withnpm run dev - In the
/routerdirectory, download the router by running./download_router.sh - In the
/routerdirectory, compose the schema by running./create_local_schema.sh - In the
/routerdirectory, run the router by running./start_router.sh
Before you can query the router from the browser (http://127.0.0.1:4000/), you will need to get a JWT. This can be done by opening http://localhost:3005/login in the browser and using the resulting token as a Bearer token in the Authorization header.
In router/router-config.yaml:
authorizationdirectives are enabledrequire_authenticationis set totruewhich enforces every request must contain a valid JWT- A
jwksurl is configured to validate incoming JWTs
In subgraph/src/schema/Query.graphql, the @requiresScopes is set on fields to require specific scopes. If you query for hello you will get a result whereas hello2 will result n an error due to the JWT not containing that scope.