Authorization and Authentication
Hive Gateway supports Authentication and Authorization using JSON Web Tokens (JWT).
A JSON Web Tokens (JWT) is a signed token containing arbitrary informations, commonly used for authentication. By being signed by the issuer of the token, it can be verified that the token is valid and has not been tampered with.
Hive Gateway provides a plugin to easily integrate JWT into your API, allowing you to easily validate, decode and use the token (for identity and authorization).
Once you have the JWT token extract and validated, the JWT claims (and optionally, the full token)
are injected to the Hive Gateway execution context, and forwarded to upstream GraphQL subgraphs,
using the extensions
field.
When JWT is enabled and claims are forwarded to the upstream GraphQL subgraphs, you might want to use HMAC Signature between your Hive Gateway and the subgraphs. This will ensure that the requests to the subgraphs are trusted and signed by the gateway, and no other entity can execute requests to the subgraph on behalf of the end-users.
You can refer to Generic Auth plugin docs, if you need a more customized auth setup without JWT.
How to use?
Here’s a mininal example for configuring the JWT plugin with a local signing key, and looking for
the token in the authorization
header:
import {
createInlineSigningKeyProvider,
defineConfig,
extractFromHeader
} from '@graphql-hive/gateway'
const signingKey = 'my-secret-key'
export const gatewayConfig = defineConfig({
jwt: {
// Look and extract for the token in the 'authorization' header, with the 'Bearer' prefix.
lookupLocations: [extractFromHeader({ name: 'authorization', prefix: 'Bearer' })],
// Decode and validate the token using the provided signing key.
singingKeyProviders: [createInlineSigningKeyProvider(signingKey)],
// Forward the verified token payload to the upstream GraphQL subgraphs.
forwared: {
payload: true
}
}
})
You can also pass additional configuration options to the Yoga plugin:
import { defineConfig, createInlineSigningKeyProvider, createRemoteJwksSigningKeyProvider, extractFromHeader, extractFromCookie } from '@graphql-hive/gateway'
export const gatewayConfig = defineConfig({
jwt: {
// Forward the extracted token and claims to the upstream GraphQL subgraphs.
forwarded: {
payload: true, // optional, defualt is "true"
token: false, // optional, defualt is "false"
extensionsFieldName: "jwt", // optional, defualt is "jwt"
},
// Configure your signing providers: either a local signing-key or a remote JWKS are supported.
singingKeyProviders: [
createInlineSigningKeyProvider(signingKey),
createRemoteJwksSigningKeyProvider({ jwksUri: 'https://example.com/.well-known/jwks.json' })
]
// Configure where to look for the JWT token: in the headers, or cookies.
// By default, the plugin will look for the token in the 'authorization' header only.
lookupLocations: [
extractFromHeader({ name: 'authorization', prefix: 'Bearer' }),
extractFromCookie({ name: 'auth' }),
],
// Configure your token issuers/audience/algorithms verification options.
// By default, the plugin will only verify the HS256/RS256 algorithms.
// Please note that this should match the JWT signer issuer/audience/algorithms.
tokenVerification: {
issuer: 'http://my-issuer.com',
audience: 'my-audience',
algorithms: ['HS256', 'RS256'],
},
// The plugin can reject the request if the token is missing or invalid (doesn't pass JWT `verify` flow).
// By default, the plugin will reject the request if the token is missing or invalid.
reject: {
missingToken: true,
invalidToken: true,
}
}
})
Configuration Options
Please refer to the configuration options of the Yoga plugin for complete details and examples.
Forwarding the JWT token and payload
The JWT token and payload can be forwarded to the upstream GraphQL subgraphs, using the extensions
field of the request body.
This workflow can allow you to easily delegate the authentication process to Hive Gateway, and allow the subgraphs to deal only with the user identity and authorization.
To pass the full token payload, you can use the forwarded.claims
option:
{
forwarded: {
payload: true // optional, defualt is "true"
}
}
The token payload will be injected into extensions.jwt.payload
of the upstream request body:
{
"query": "{ comments { id author { id }} }",
"extensions": {
"jwt": {
"payload": {
"sub": 123
}
}
}
}
You can also pass the full token, using the forwared.token
option:
{
forwared: {
payload: true, // optional, defualt is "true"
token: true // optional, defualt is "false"
}
}
And the token and (optional) prefix will be injected into extensions.jwt.token
of the upstream
HTTP request:
{
"query": "{ comments { id author { id }} }",
"extensions": {
"jwt": {
"payload": {
"sub": 123
},
"token": {
"value": "XYZ",
"prefix": "Bearer"
}
}
}
}
Additionally, if you wish to change the name of the jwt
field in the extensions, you can use the
forwarded.extensionsFieldName
option to change it:
{
forwarded: {
extensionsFieldName: 'myJwt' // optional, defualt is "jwt"
}
}
Using the JWT token
Within Gateway
The JWT plugin will inject the decoded token and payload into the context of Hive Gateway.
You can use the injected payload with other plugins, to implement things like authorization or user-identity based logic.
For example, with a plugin like Operation Field Permissions, you can use the jwt
property of the
context to access the decoded JWT token, and decide what permissions to allow to the user based on
identity or token claims:
import { useOperationFieldPermissions } from '@envelop/operation-field-permissions'
import { defineConfig } from '@graphql-hive/gateway'
export const gatewayConfig = defineConfig({
// ...
jwt: {
// ...
},
plugins: () => [
useOperationFieldPermissions({
getPermissions: async context => {
const { jwt } = context
// Check based on identity / user-id.
if (jwt?.payload?.sub === '123') {
return new Set(['Query.*'])
}
// Check based on token payload
if (jwt?.payload?.role === 'admin') {
return new Set(['Query.*'])
}
// Default permissions
return new Set(['Query.greetings'])
}
})
]
})
In upstream GraphQL subgraphs
The JWT token and claims are forwarded to the upstream GraphQL subgraphs, using the extensions
field.
To access the JWT token and claims in your upstream service resolvers/execution, you can use the
extensions
field of the incoming GraphQL request.
If you are using GraphQL-Yoga for your upstream subgraph implementation, you can use a built-in utility for extracting it for you in an easy way:
import { useForwardedJWT } from '@graphql-hive/gateway'
const myYogaSubgraphServer = createYoga({
schema: mySchema,
plugins: [
useForwardedJWT({
// The name of the field in the extensions object, default is "jwt"
extensionsFieldName: 'jwt',
// The name of the field to inject into the local context object, default is "jwt"
extendContextFieldName: 'jwt'
})
]
})
With this plugin configured, you should be able to just access context.jwt
in your subgraphs, just
like you would in the gateway.
This makes the process of integrating JWT easier, and streamlined across the whole flow of execution.
Additional Configuration
Token lookup
The plugin can be configured to look for the JWT token in different locations:
By default, the plugin will look for the token in the authorization
header. You can configure the
plugin to look for the token in a different header or with a different prefix.
The prefix is being validated along with the token (for example: Bearer my-token
).
import { defineConfig, extractFromHeader } from '@graphql-hive/gateway'
export const gatewayConfig = defineConfig({
// ...
jwt: {
// ...
lookupLocations: [extractFromHeader({ name: 'x-auth-token', prefix: 'Bearer' })]
}
})
Signing Key providers
The plugin can be configured to use different signing key providers:
You can provide the signing key directly in the configuration.
Do not hardcode the signing key in your code. Use environment variables, local encrypted file or a secret store!
import { createInlineSigningKeyProvider, defineConfig } from '@graphql-hive/gateway'
export const gatewayConfig = defineConfig({
// ...
jwt: {
// ...
singingKeyProviders: [createInlineSigningKeyProvider(process.env.MY_JWT_SECRET)]
}
})
In case you are using an inline signing key provider, all
keyid
/kid
will be allowed in tokens.
Token Verification
The plugin verification process can be customized to match the JWT token issuer
, audience
, and
algorithms.
Note that the verification options should match the JWT signer’s configuration.
You can find here the complete list of verification options for this plugin.
import { defineConfig } from '@graphql-hive/gateway'
export const gatewayConfig = defineConfig({
// ...
jwt: {
// ...
tokenVerification: {
issuer: ['http://yoga'],
audience: 'my-audience',
algorithms: ['HS256', 'RS256']
}
}
})
Execution Rejection
The plugin can be configured to reject the request if the token is missing or invalid.
By default, an authentication error will be thrown if the token is missing or invalid, and the
request will be reject with status code 401
.
import { defineConfig } from '@graphql-hive/gateway'
export const gatewayConfig = defineConfig({
// ...
jwt: {
// ...
reject: {
missingToken: true,
invalidToken: true
}
}
})
In case you want to handle the error yourself, you can set
reject: { missingToken: false, invalidToken: false }
and handle the error in your resolvers. Thecontext.jwt
will beundefined
in case of missing or invalid token.
Granular Protection using Auth Directives (@authenticated
, @requiresScopes
and @policy
)
Configuration
By default, the JWT plugin protects the whole schema. If you want to use a granular protection by
using Federation directives such as @authenticated
, @requiresScopes
and @policy
, you can use
the Generic Auth plugin to have a granular protection using with or without JWT.
With the following configuration, you can use the JWT plugin to extract the token and claims, and then use the Generic Auth plugin to protect the schema with the Federation directives:
import { defineConfig } from '@graphql-hive/gateway'
export const gatewayConfig = defineConfig({
// ...
jwt: {
// You have to disable the default rejection of the JWT plugin
reject: {
missingToken: false,
invalidToken: false
}
},
genericAuth: {
// Then set generic auth plugin to use granular mode
mode: 'protect-granular',
// Set where to extract the payload
resolveUser: ctx => ctx.jwt?.payload,
// If you want to continue execution even if some fields are rejected
rejectUnauthenticated: false
}
})
Protect a field using a field @authenticated
In your GraphQL schema SDL, you can add @authenticated
directive to your fields.
# Import it from Federation spec
extend schema @link(url: "https://specs.apollo.dev/federation/v2.6", import: ["@authenticated"])
type Query {
me: User! @authenticated
protectedField: String @authenticated
# publicField: String
}
You can apply that directive to any GraphQL
field
definition, not only to root fields.
Role/scope based authentication (RBAC) with @requiresScope
directive
You can use @requiresScope
directive to protect your schema based on the user’s role or scope.
Here’s an example of how you can use it:
extend schema @link(url: "https://specs.apollo.dev/federation/v2.5", import: ["@requiresScopes"])
type Query {
me: User! @requiresScopes(scopes: [["read:user"]])
protectedField: String @requiresScopes(scopes: [["read:admin"]])
publicField: String
}
By default, the plugin will try to extract available scopes for the current payload from scope
property which is expected to be a string like read:user read:admin
. However you can customize
this behavior by providing a custom extractScopes
function.
{
resolveUserFn,
validateUser,
mode: 'protect-granular',
// Set where to extract the payload
resolveUser: ctx => ctx.jwt?.payload,
extractScopes: jwtPayload => jwtPayload?.scopes // Expected to return an array of strings
}
You can also apply AND
or OR
logic to the scopes:
extend schema @link(url: "https://specs.apollo.dev/federation/v2.5", import: ["@requiresScopes"])
type Query {
# This field requires the user to have `read:user` OR `read:admin` scopes
me: User! @requiresScopes(scopes: [["read:user"], ["read:admin"]])
# This field requires the user to have `read:user` AND `read:admin` scopes
protectedField: String @requiresScopes(scopes: [["read:admin", "read:user"]])
publicField: String
}
@policy
directive to fetch the roles from a policy service
You can use the @policy
directive to fetch the roles from a policy service. Here’s an example of
how you can use it:
extend schema @link(url: "https://specs.apollo.dev/federation/v2.5", import: ["@policy"])
type Query {
me: User! @policy(policies: [["read:user"]])
protectedField: String @policy(policies: [["read:admin"]])
publicField: String
}
It has the same logic with @requiresScopes
but it can asynchronously fetch the roles from a
source;
{
resolveUserFn,
validateUser,
mode: 'protect-granular',
fetchPolicies: async user => {
const res = await fetch('https://policy-service.com', {
headers: {
Authorization: `Bearer ${user.token}`
}
})
// Expected to return an array of strings
return res.json()
}
}