I have a question regarding authorization on the database being queried.
I’m in the process of building a backend using Dgraph and it exposes a GraphQL API that I’m running mutations/queries against. Dgraph has supplied an
@auth directive which allows devs to define specific ways in which the JWT received, say in the
Authorization header, can be evaluated for claims (in this case custom) and dis/allow access. My use case is:
- I’d like to be able to add users to my Dgraph database using the
addUsermutation generated by Dgraph
- I’d like to ensure that only users with the role
ADMINcan add/delete users (with other levels of access granted for updating/reading)
@authdirectives have been applied to all of the type defined in my GraphQL schema (which is fed into Dgraph to generate the database/operations)
- I’ll add a Rule in Auth0 to query the Dgraph GraphQL API for the user that happens to be authenticating and add the
roleto the custom claims of the Auth0-issued JWT
How do I ensure that Auth0 has access to the Dgraph GraphQL API and that I can update the authenticating user’s JWT with the appropriate role that I have stored in the database?