https://github.com/graph-quilt/graphql-authorization-java

This library enables access control for accessing types and fields when making a GraphQL request.
https://github.com/graph-quilt/graphql-authorization-java

abac access-control authorization federation graphql hacktoberfest hacktoberfest2023

Last synced: 5 days ago
JSON representation

This library enables access control for accessing types and fields when making a GraphQL request.

• Host: GitHub
• URL: https://github.com/graph-quilt/graphql-authorization-java
• Owner: graph-quilt
• License: apache-2.0
• Created: 2021-12-03T20:00:58.000Z (almost 3 years ago)
• Default Branch: master
• Last Pushed: 2023-11-09T08:11:01.000Z (about 1 year ago)
• Last Synced: 2023-12-12T11:14:58.236Z (11 months ago)
• Topics: abac, access-control, authorization, federation, graphql, hacktoberfest, hacktoberfest2023
• Language: Java
• Homepage: https://graph-quilt.github.io
• Size: 235 KB
• Stars: 21
• Watchers: 11
• Forks: 7
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • Contributing: .github/CONTRIBUTING.md
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md
  • Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

README

        


![graphql-authorization-java](./graphql-authorization-java.png)



A powerful library for securing a GraphQL service using attribute level access control. 


-----

![Master Build](https://github.com/graph-quilt/graphql-authorization-java/actions/workflows/main.yml/badge.svg)

## Introduction

This library enforces access control on GraphQL queries by checking for allowed types and fields. A GraphQL query that 

has access to some of the requested fields/types will return:

* Requested fields it has access to

* Authorization Error message for the fields it does not have access to. You can customize the error message by over-riding the

`getErrorMessage` method in the `ScopeProvider` interface. 

    

```json lines

 "errors": [

    {

      "message": "403 - Not authorized to access field=accountId of type=AccountType",

      ...

    },

```

## Getting Started 

#### Maven coordinates:

```xml

  

    com.intuit.graphql

    graphql-authorization-java

    ${latest.version}

```

### Usage

* Implement the AuthzClientConfiguration interface and provide the configuration for initialization. The configuration contains

  mappings of scopes represented by `id` to the `list of Queries` allowed by that `id`. The id can also represent clientids, 

  userids, scopes or roles.

* Add the AuthzInstrumentation defined in the library as an instrumentation when you create your GraphQL Instance. More on

  [graphql-java instrumentation](https://www.graphql-java.com/documentation/instrumentation/)

  

  If dgs framework is used, add the AuthzInstrumentation as a bean in the configuration class.

* The library provides a default implementation of the ScopeProvider interface. The default implementation uses the request-context

    to fetch the list of scopes associated with the request. The default implementation can be over-ridden by providing a custom

    implementation of the ScopeProvider interface.

  * Get scopes should be customized by overriding the `getScopes` method in the ScopeProvider interface.

  * Request-context information would be available at execution time. Request-context would have headers and that could be used

      to fetch the list of scopes associated with the request.

  * Error Message could be customized by overriding the `getErrorMessage` method in the ScopeProvider interface.

  

* AuthZlistener is an optional interface that can be implemented to listen to the authorization events. The listener can be used

  to log the authorization events or to send the events to a monitoring system. The listener can be added to the instrumentation

  by providing an implementation of the AuthzListener interface.

 

* AuthorizationExtensionProvider is an optional interface that can be implemented to provide custom authorization extensions.

  The extensions can be used to add custom authorization logic. The extensions can be added to the instrumentation by providing

  an implementation of the AuthorizationExtensionProvider interface.

 ```java

 GraphQL.newGraphQL(schema)

       .instrumentation(new AuthzInstrumentation(authzClientConfiguration, schema, scopeProvider,authzListener, authorizationExtensionProvider))

       .build();

 ```

### Example Implementation

Please refer to the [example service](https://github.com/graph-quilt/example-subgraphs/tree/main/name-service) where this library was used to

implement user permissions with userids. 

### Contributing

Read the [Contribution guide](./.github/CONTRIBUTING.md)