Documentation
Gateway
Authorization / Authentication

Authorization and Authentication

Hive Gateway supports Authentication and Authorization using JSON Web Tokens (JWT).

A JSON Web Tokens (JWT) is a signed token containing arbitrary informations, commonly used for authentication. By being signed by the issuer of the token, it can be verified that the token is valid and has not been tampered with.

Hive Gateway provides a plugin to easily integrate JWT into your API, allowing you to easily validate, decode and use the token (for identity and authorization).

Once you have the JWT token extract and validated, the JWT claims (and optionally, the full token) are injected to the Hive Gateway execution context, and forwarded to upstream GraphQL subgraphs, using the extensions field.

⚠️

When JWT is enabled and claims are forwarded to the upstream GraphQL subgraphs, you might want to use HMAC Signature between your Hive Gateway and the subgraphs. This will ensure that the requests to the subgraphs are trusted and signed by the gateway, and no other entity can execute requests to the subgraph on behalf of the end-users.

💡

You can refer to Generic Auth plugin docs, if you need a more customized auth setup without JWT.

How to use?

Here’s a mininal example for configuring the JWT plugin with a local signing key, and looking for the token in the authorization header:

gateway.config.ts
import {
  createInlineSigningKeyProvider,
  defineConfig,
  extractFromHeader
} from '@graphql-hive/gateway'
 
const signingKey = 'my-secret-key'
 
export const gatewayConfig = defineConfig({
  jwt: {
    // Look and extract for the token in the 'authorization' header, with the 'Bearer' prefix.
    lookupLocations: [extractFromHeader({ name: 'authorization', prefix: 'Bearer' })],
    // Decode and validate the token using the provided signing key.
    singingKeyProviders: [createInlineSigningKeyProvider(signingKey)],
    // Forward the verified token payload to the upstream GraphQL subgraphs.
    forwared: {
      payload: true
    }
  }
})

You can also pass additional configuration options to the Yoga plugin:

gateway.config.ts
import { defineConfig, createInlineSigningKeyProvider, createRemoteJwksSigningKeyProvider, extractFromHeader, extractFromCookie } from '@graphql-hive/gateway'
 
export const gatewayConfig = defineConfig({
  jwt: {
      // Forward the extracted token and claims to the upstream GraphQL subgraphs.
      forwarded: {
        payload: true, // optional, defualt is "true"
        token: false, // optional, defualt is "false"
        extensionsFieldName: "jwt", // optional, defualt is "jwt"
      },
      // Configure your signing providers: either a local signing-key or a remote JWKS are supported.
      singingKeyProviders: [
        createInlineSigningKeyProvider(signingKey),
        createRemoteJwksSigningKeyProvider({ jwksUri: 'https://example.com/.well-known/jwks.json' })
      ]
      // Configure where to look for the JWT token: in the headers, or cookies.
      // By default, the plugin will look for the token in the 'authorization' header only.
      lookupLocations: [
        extractFromHeader({ name: 'authorization', prefix: 'Bearer' }),
        extractFromCookie({ name: 'auth' }),
      ],
      // Configure your token issuers/audience/algorithms verification options.
      // By default, the plugin will only verify the HS256/RS256 algorithms.
      // Please note that this should match the JWT signer issuer/audience/algorithms.
      tokenVerification: {
        issuer: 'http://my-issuer.com',
        audience: 'my-audience',
        algorithms: ['HS256', 'RS256'],
      },
      // The plugin can reject the request if the token is missing or invalid (doesn't pass JWT `verify` flow).
      // By default, the plugin will reject the request if the token is missing or invalid.
      reject: {
        missingToken: true,
        invalidToken: true,
      }
  }
})

Configuration Options

Please refer to the configuration options of the Yoga plugin for complete details and examples.

Forwarding the JWT token and payload

The JWT token and payload can be forwarded to the upstream GraphQL subgraphs, using the extensions field of the request body.

This workflow can allow you to easily delegate the authentication process to Hive Gateway, and allow the subgraphs to deal only with the user identity and authorization.

To pass the full token payload, you can use the forwarded.claims option:

{
  forwarded: {
    payload: true // optional, defualt is "true"
  }
}

The token payload will be injected into extensions.jwt.payload of the upstream request body:

{
  "query": "{ comments { id author { id }} }",
  "extensions": {
    "jwt": {
      "payload": {
        "sub": 123
      }
    }
  }
}

You can also pass the full token, using the forwared.token option:

{
  forwared: {
    payload: true, // optional, defualt is "true"
    token: true // optional, defualt is "false"
  }
}

And the token and (optional) prefix will be injected into extensions.jwt.token of the upstream HTTP request:

{
  "query": "{ comments { id author { id }} }",
  "extensions": {
    "jwt": {
      "payload": {
        "sub": 123
      },
      "token": {
        "value": "XYZ",
        "prefix": "Bearer"
      }
    }
  }
}

Additionally, if you wish to change the name of the jwt field in the extensions, you can use the forwarded.extensionsFieldName option to change it:

{
  forwarded: {
    extensionsFieldName: 'myJwt' // optional, defualt is "jwt"
  }
}

Using the JWT token

Within Gateway

The JWT plugin will inject the decoded token and payload into the context of Hive Gateway.

You can use the injected payload with other plugins, to implement things like authorization or user-identity based logic.

For example, with a plugin like Operation Field Permissions, you can use the jwt property of the context to access the decoded JWT token, and decide what permissions to allow to the user based on identity or token claims:

gateway.config.ts
import { useOperationFieldPermissions } from '@envelop/operation-field-permissions'
import { defineConfig } from '@graphql-hive/gateway'
 
export const gatewayConfig = defineConfig({
  // ...
  jwt: {
    // ...
  },
  plugins: () => [
    useOperationFieldPermissions({
      getPermissions: async context => {
        const { jwt } = context
 
        // Check based on identity / user-id.
        if (jwt?.payload?.sub === '123') {
          return new Set(['Query.*'])
        }
 
        // Check based on token payload
        if (jwt?.payload?.role === 'admin') {
          return new Set(['Query.*'])
        }
 
        // Default permissions
        return new Set(['Query.greetings'])
      }
    })
  ]
})

In upstream GraphQL subgraphs

The JWT token and claims are forwarded to the upstream GraphQL subgraphs, using the extensions field.

To access the JWT token and claims in your upstream service resolvers/execution, you can use the extensions field of the incoming GraphQL request.

If you are using GraphQL-Yoga for your upstream subgraph implementation, you can use a built-in utility for extracting it for you in an easy way:

yoga-subgraph.ts
import { useForwardedJWT } from '@graphql-hive/gateway'
 
const myYogaSubgraphServer = createYoga({
  schema: mySchema,
  plugins: [
    useForwardedJWT({
      // The name of the field in the extensions object, default is "jwt"
      extensionsFieldName: 'jwt',
      // The name of the field to inject into the local context object, default is "jwt"
      extendContextFieldName: 'jwt'
    })
  ]
})

With this plugin configured, you should be able to just access context.jwt in your subgraphs, just like you would in the gateway.

This makes the process of integrating JWT easier, and streamlined across the whole flow of execution.

Additional Configuration

Token lookup

The plugin can be configured to look for the JWT token in different locations:

By default, the plugin will look for the token in the authorization header. You can configure the plugin to look for the token in a different header or with a different prefix.

The prefix is being validated along with the token (for example: Bearer my-token).

import { defineConfig, extractFromHeader } from '@graphql-hive/gateway'
 
export const gatewayConfig = defineConfig({
  // ...
  jwt: {
    // ...
    lookupLocations: [extractFromHeader({ name: 'x-auth-token', prefix: 'Bearer' })]
  }
})

Signing Key providers

The plugin can be configured to use different signing key providers:

You can provide the signing key directly in the configuration.

Do not hardcode the signing key in your code. Use environment variables, local encrypted file or a secret store!

import { createInlineSigningKeyProvider, defineConfig } from '@graphql-hive/gateway'
 
export const gatewayConfig = defineConfig({
  // ...
  jwt: {
    // ...
    singingKeyProviders: [createInlineSigningKeyProvider(process.env.MY_JWT_SECRET)]
  }
})

In case you are using an inline signing key provider, all keyid / kid will be allowed in tokens.

Token Verification

The plugin verification process can be customized to match the JWT token issuer, audience, and algorithms.

Note that the verification options should match the JWT signer’s configuration.

You can find here the complete list of verification options for this plugin.

import { defineConfig } from '@graphql-hive/gateway'
 
export const gatewayConfig = defineConfig({
  // ...
  jwt: {
    // ...
    tokenVerification: {
      issuer: ['http://yoga'],
      audience: 'my-audience',
      algorithms: ['HS256', 'RS256']
    }
  }
})

Execution Rejection

The plugin can be configured to reject the request if the token is missing or invalid.

By default, an authentication error will be thrown if the token is missing or invalid, and the request will be reject with status code 401.

import { defineConfig } from '@graphql-hive/gateway'
 
export const gatewayConfig = defineConfig({
  // ...
  jwt: {
    // ...
    reject: {
      missingToken: true,
      invalidToken: true
    }
  }
})

In case you want to handle the error yourself, you can set reject: { missingToken: false, invalidToken: false } and handle the error in your resolvers. The context.jwt will be undefined in case of missing or invalid token.

Granular Protection using Auth Directives (@authenticated, @requiresScopes and @policy)

Configuration

By default, the JWT plugin protects the whole schema. If you want to use a granular protection by using Federation directives such as @authenticated, @requiresScopes and @policy, you can use the Generic Auth plugin to have a granular protection using with or without JWT.

With the following configuration, you can use the JWT plugin to extract the token and claims, and then use the Generic Auth plugin to protect the schema with the Federation directives:

import { defineConfig } from '@graphql-hive/gateway'
 
export const gatewayConfig = defineConfig({
  // ...
  jwt: {
    // You have to disable the default rejection of the JWT plugin
    reject: {
      missingToken: false,
      invalidToken: false
    }
  },
  genericAuth: {
    // Then set generic auth plugin to use granular mode
    mode: 'protect-granular',
    // Set where to extract the payload
    resolveUser: ctx => ctx.jwt?.payload,
    // If you want to continue execution even if some fields are rejected
    rejectUnauthenticated: false
  }
})

Protect a field using a field @authenticated

In your GraphQL schema SDL, you can add @authenticated directive to your fields.

# Import it from Federation spec
extend schema @link(url: "https://specs.apollo.dev/federation/v2.6", import: ["@authenticated"])
 
type Query {
  me: User! @authenticated
  protectedField: String @authenticated
  # publicField: String
}

You can apply that directive to any GraphQL field definition, not only to root fields.

Role/scope based authentication (RBAC) with @requiresScope directive

You can use @requiresScope directive to protect your schema based on the user’s role or scope. Here’s an example of how you can use it:

extend schema @link(url: "https://specs.apollo.dev/federation/v2.5", import: ["@requiresScopes"])
 
type Query {
  me: User! @requiresScopes(scopes: [["read:user"]])
  protectedField: String @requiresScopes(scopes: [["read:admin"]])
  publicField: String
}

By default, the plugin will try to extract available scopes for the current payload from scope property which is expected to be a string like read:user read:admin. However you can customize this behavior by providing a custom extractScopes function.

{
  resolveUserFn,
  validateUser,
  mode: 'protect-granular',
  // Set where to extract the payload
  resolveUser: ctx => ctx.jwt?.payload,
  extractScopes: jwtPayload => jwtPayload?.scopes // Expected to return an array of strings
}

You can also apply AND or OR logic to the scopes:

extend schema @link(url: "https://specs.apollo.dev/federation/v2.5", import: ["@requiresScopes"])
 
type Query {
  # This field requires the user to have `read:user` OR `read:admin` scopes
  me: User! @requiresScopes(scopes: [["read:user"], ["read:admin"]])
  # This field requires the user to have `read:user` AND `read:admin` scopes
  protectedField: String @requiresScopes(scopes: [["read:admin", "read:user"]])
  publicField: String
}

@policy directive to fetch the roles from a policy service

You can use the @policy directive to fetch the roles from a policy service. Here’s an example of how you can use it:

extend schema @link(url: "https://specs.apollo.dev/federation/v2.5", import: ["@policy"])
 
type Query {
  me: User! @policy(policies: [["read:user"]])
  protectedField: String @policy(policies: [["read:admin"]])
  publicField: String
}

It has the same logic with @requiresScopes but it can asynchronously fetch the roles from a source;

{
  resolveUserFn,
  validateUser,
  mode: 'protect-granular',
  fetchPolicies: async user => {
    const res = await fetch('https://policy-service.com', {
      headers: {
        Authorization: `Bearer ${user.token}`
      }
    })
    // Expected to return an array of strings
    return res.json()
  }
}
Persisted DocumentsMonitoring/Tracing