Authorization Series - Pt 3: Dynamic Authorization with GraphQL and Rules

Build a Flask and GraphQL quidditch management system that uses Auth0 rules to implement ABAC and GBAC.

Read on :ferris_wheel:

Brought to you by @holly :woman_technologist:t2:

1 Like

Let us know if you have any questions regarding that!

  axios({
    url: 'https://4ee74187.ngrok.io/graphql',
    method: 'post',
    data: {
      query: `
        {
          getPlayer(name: "${name}") {
            name
            position
            year
          }
        }
        `
    }
   })

Where does the year come from? I cannot see it in db schema, is this an other API?

Hey there!

Thanks for reporting that! year is a property for Player object but it’s missing in the db. @holly can you take a look at that? Is there something we’re missing from the tutorial?

Good catch @huyennbl. The year field is in the file models.py and then populated in seeder.txt. That screenshot of the database structure was taken before I added it to the app, so a little outdated, but the code itself should be working. Updating the image now, thanks!

1 Like

Perfect! Thanks a lot for that @holly!

Hi guys,

I found the post very helpful and have some follow up questions. As described in post the rules that you can make on auth0 are executed when a user logs in. Is it possible to change the context object during a session? Doesn’t it cause too much overhead when a variable in the context becomes bigger and is sent in a cookie with every request?

Hi!

I have a question regarding authorization on the database being queried.

I’m in the process of building a backend using Dgraph and it exposes a GraphQL API that I’m running mutations/queries against. Dgraph has supplied an @auth directive which allows devs to define specific ways in which the JWT received, say in the Authorization header, can be evaluated for claims (in this case custom) and dis/allow access. My use case is:

  • I’d like to be able to add users to my Dgraph database using the addUser mutation generated by Dgraph
  • I’d like to ensure that only users with the role ADMIN can add/delete users (with other levels of access granted for updating/reading)
  • these @auth directives have been applied to all of the type defined in my GraphQL schema (which is fed into Dgraph to generate the database/operations)
  • I’ll add a Rule in Auth0 to query the Dgraph GraphQL API for the user that happens to be authenticating and add the role to the custom claims of the Auth0-issued JWT

How do I ensure that Auth0 has access to the Dgraph GraphQL API and that I can update the authenticating user’s JWT with the appropriate role that I have stored in the database?

This thread seems stale so I will also open up a separate topic.

Best,
John

1 Like

Hey there @forstmeier!

I’m sure Holly will follow up on that once she’s online!

1 Like

Hi, @konrad.sopala, any word on when Holly might be available to address this question? Thanks!

Hey there!

Let me ping her

Hi @forstmeier! Sorry for the delay, just catching up from the long weekend. Let me gather a couple of resources and I’ll get back to you today!

Hi again and sorry for the delay!

You can call your own API from within the rule by first registering the API with Auth0 and then using M2M authorization between your API and the Auth0 rule.

Here are the steps to do that:

And then once you’re able to connect to your API and grab the role you want to add for the user that’s signing in, you can add it to the access token like this:

This sample shows a similar setup, but instead of grabbing querying the API, it’s pulling straight from the database. Just an example of how both steps can work together!

https://auth0.com/rules/add-roles-from-sqlserver

Let me know if that helps!

2 Likes

Wow, thanks @holly! This is really, really helpful. I’ll be taking a look at this in depth and putting something together tomorrow/Friday evening and I’ll be sure to let you know if I run into issues.

I also just saw that Dgraph released some additional documentation specifically about integrating with Auth0.

1 Like

Perfect! Let us know if you have any questions down the road!

This topic was automatically closed after 6 hours. New replies are no longer allowed.