This repository demonstrates how to use JWT authentication in the Router with the @requiresScopes directive when the JWT does not use the standard scope JWT claim. In this example, it is instead stored as an array of strings on the authorizations property of the JWT. The Rhai script in this repo converts it to the format expected by the Router.
Note: To run this example, you will need a GraphOS Enterprise plan and must create
/router/.envbased on/router/.env.examplewhich exportsAPOLLO_KEYandAPOLLO_GRAPH_REF.
- Run the subgraph from the
/subgraphdirectory withnpm run dev - Run the auth-service from the
/auth-servicedirectory withnpm run dev - In the
/routerdirectory, download the router by running./download_router.sh - In the
/routerdirectory, compose the schema by running./create_local_schema.sh - In the
/routerdirectory, run the router by running./start_router.sh
Before you can query the router from the browser (http://127.0.0.1:4000/), you will need to get a JWT. This can be done by opening http://localhost:3005/login in the browser and using the resulting token as a Bearer token in the Authorization header.
In router/router-config.yaml:
authorizationdirectives are enabledrequire_authenticationis set totruewhich enforces every request must contain a valid JWT- A
jwksurl is configured to validate incoming JWTs - The
rhaiproperty is configured to point to therhai/main.rhaifile
In subgraph/src/schema/Query.graphql, the @requiresScopes is set on fields to require specific scopes. If you query for hello you will get a result whereas hello2 will result n an error due to the JWT not containing that scope.
In router/rhai/normalize_scopes.rhai, the script takes the authorizations property as an array of strings (E.g. ["read:hello", "read:otherthing"]) and converts it to a space-separated string scope property (E.g. "read:hello read:otherthing").