Website guide for authorization

[jasonkuhrt]

What

• Guide section about authorization
• Note: This is not about authentication

unresolved

• RBAC?
• ABAC?
• JWT scopes? (aka. permissions)
• Nexus authorization plugin?

Why

• A critical need for building many apps
• Eventually we want this to be a core concern of santa framework

How

• Need to research how santa@1 will tackle this domain in the first place
• Then need to refine the engineering into GitHub issues

Related

#210

References

• https://graphql.org/learn/authorization/

Articles

• 2019 https://fauna.com/blog/abac-graphql (abac)
• 2019 https://medium.com/arboric/graphql-attribute-based-access-control-in-arboric-a16132c245fa (abac)
• 2018 https://blog.apollographql.com/authorization-in-graphql-452b1c402a9
• 2018 https://codeburst.io/use-custom-directives-to-protect-your-graphql-apis-a78cbbe17355 (schema first)
• 2018 https://www.prisma.io/blog/graphql-directive-permissions-authorization-made-easy-54c076b5368e (schema first, rbac)
• 2018 https://pusher.com/tutorials/authorization-graphql
• 2018 https://itnext.io/graphql-authentication-using-oauth-json-web-tokens-bdb829602a5c
• 2018 https://blog.grandstack.io/authorization-in-graphql-using-custom-schema-directives-eafa6f5b4658
• 2017 https://blog.cloudboost.io/graphql-data-access-based-on-users-roles-with-express-graphql-3b6892eba048 (rbac)

Forums

• 2018 https://spectrum.chat/graphql/general/best-strategies-to-implement-access-control-in-graphql~f497245c-ca95-471c-9263-209a584d30ff
• 2018 https://twitter.com/juretriglav/status/1062364623104557056
• 2017 https://stackoverflow.com/questions/47718268/ways-to-implement-attribute-based-access-control-with-graphql (abac)

Node Libs / Tools

• chore: refactor test helpers #23 (last update 2019)
• https://github.com/maticzav/graphql-shield (last update 2019)
• https://github.com/Canner/graphql-rbac (last update 2018)
• https://github.com/chenkie/graphql-auth (last update 2017)

Other

• 2019 https://auth0.com/blog/authorization-series-pt-3-dynamic-authorization-with-graphql-and-rules/
• 2019 Support Casbin as the ACL/RBAC/ABAC authorization solution for GraphQL 99designs/gqlgen#937
• 2019 https://github.com/MichalLytek/type-graphql/blob/master/docs/authorization.md
• https://graphql-ruby.org/authorization/authorization
• https://www.graph.cool/docs/tutorials/auth/authorization-for-a-cms-miesho4goo
• https://github.com/casbin/casbin
• https://www.prisma.io/tutorials/graphql-rest-authentication-authorization-basics-ct20/#authorization

[iherger]

What's the current thinking about authorisation in nexus?

This is a critical aspect of any GraphQL API that is open to different user roles, and it would be good to get some guidance here (what is the current status, and where do we go from here).

I have been playing a bit with nexus for a personal project, but I really would need a good way to handle authorisation.

EDIT: I guess I can use graphql-shield as express middleware at the moment.

Thanks a lot.

[nargetdev]

I've been spinning on this pretty full on the past week searching for "idiomatic" implementation that would scale well and "feel good".

I've made a placeholder here for an effort for a fullstack Auth0 example implimenting "roles" for access control for GraphQL using Prisma2:
https://github.com/nargetdev/prisma2-auth0-example

Not sure what library will make sense for Auth0.. seems like there's a lot of options. For now I'm just going to manage "the old fashioned way" - by storing user ID in a table with a "role" column.

P.S. Are schema directives dead in Prisma2?

[hsluoyz]

@nargetdev @jasonkuhrt Hi guys, Node-Casbin is one of the most promising authorization library for Node.js that supports ACL, RBAC and ABAC. It has a Prisma adapter: https://github.com/node-casbin/prisma-adapter The rules can be stored via Prisma like your other data.

Casbin is suitable for protecting GraphQL endpoints, see an example: https://github.com/esmaeilpour/graphql-casbin

[jasonkuhrt]

Thanks @hsluoyz will take a look. Would you be open for a direct chat with the team sometime?

[hsluoyz]

@jasonkuhrt sure. What tool do you use?

[jasonkuhrt]

@hsluoyz flexible! Zoom often. Best time might be once the team has had a chance to inform ourselves a bit. Depends on when we sprint on auth. Might still be a month or few out, not sure. Can we reach out to you then? Via email?

[hsluoyz]

@jasonkuhrt OK. Please reach me at hsluoyz AT gmail dot com at that time !