2020-01-14 15:57:45 +03:00
|
|
|
.. meta::
|
|
|
|
:description: Manage authenticaton with Hasura
|
|
|
|
:keywords: hasura, docs, authentication, auth
|
|
|
|
|
2020-03-11 22:42:36 +03:00
|
|
|
.. _authentication:
|
|
|
|
|
2020-03-02 14:24:19 +03:00
|
|
|
Authentication
|
|
|
|
==============
|
2019-05-17 15:03:35 +03:00
|
|
|
|
|
|
|
.. contents:: Table of contents
|
|
|
|
:backlinks: none
|
|
|
|
:depth: 1
|
|
|
|
:local:
|
|
|
|
|
|
|
|
Overview
|
|
|
|
--------
|
|
|
|
|
2019-09-11 10:17:14 +03:00
|
|
|
Authentication is handled outside of Hasura. Hasura delegates authentication and resolution of request
|
2019-05-17 15:03:35 +03:00
|
|
|
headers into session variables to your authentication service *(existing or new)*.
|
|
|
|
|
|
|
|
Your authentication service is required to pass a user's **role** information in the form of session
|
|
|
|
variables like ``X-Hasura-Role``, etc. More often than not, you'll also need to pass user information
|
2019-09-11 10:17:14 +03:00
|
|
|
for your access control use cases, like ``X-Hasura-User-Id``, to build permission rules.
|
2019-05-17 15:03:35 +03:00
|
|
|
|
2019-10-28 09:16:25 +03:00
|
|
|
You can also configure Hasura to allow access to unauthenticated users by configuring a specific role
|
|
|
|
which will be set for all unauthenticated requests.
|
|
|
|
|
2019-05-17 15:03:35 +03:00
|
|
|
Authentication options
|
|
|
|
----------------------
|
|
|
|
|
|
|
|
Hasura supports two modes of authentication configuration:
|
|
|
|
|
2019-10-28 09:16:25 +03:00
|
|
|
1. Webhook
|
|
|
|
^^^^^^^^^^
|
|
|
|
|
|
|
|
Your auth server exposes a webhook that is used to authenticate all incoming requests
|
|
|
|
to the Hasura GraphQL engine server and to get metadata about the request to evaluate access control
|
|
|
|
rules.
|
|
|
|
|
|
|
|
Here's how a GraphQL request is processed in webhook mode:
|
|
|
|
|
2020-08-25 19:21:21 +03:00
|
|
|
.. thumbnail:: /img/graphql/core/auth/auth-webhook-overview.png
|
2020-01-08 16:20:18 +03:00
|
|
|
:alt: Authentication using webhooks
|
2019-10-28 09:16:25 +03:00
|
|
|
|
|
|
|
2. JWT (JSON Web Token)
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^
|
2019-05-17 15:03:35 +03:00
|
|
|
|
2019-10-28 09:16:25 +03:00
|
|
|
Your auth server issues JWTs to your client app, which, when sent as part
|
|
|
|
of the request, are verified and decoded by the GraphQL engine to get metadata about the request to
|
|
|
|
evaluate access control rules.
|
2019-05-17 15:03:35 +03:00
|
|
|
|
2019-10-28 09:16:25 +03:00
|
|
|
Here's how a GraphQL query is processed in JWT mode:
|
2019-05-17 15:03:35 +03:00
|
|
|
|
2020-08-25 19:21:21 +03:00
|
|
|
.. thumbnail:: /img/graphql/core/auth/auth-jwt-overview.png
|
2020-01-08 16:20:18 +03:00
|
|
|
:alt: Authentication using JWT
|
2019-05-17 15:03:35 +03:00
|
|
|
|
2019-10-28 09:16:25 +03:00
|
|
|
**See more details at:**
|
2019-05-17 15:03:35 +03:00
|
|
|
|
|
|
|
.. toctree::
|
|
|
|
:maxdepth: 1
|
|
|
|
|
|
|
|
Using webhooks <webhook>
|
|
|
|
Using JWT <jwt>
|
2020-06-29 15:50:06 +03:00
|
|
|
Unauthenticated / Public access <unauthenticated-access>
|
2021-03-09 11:36:02 +03:00
|
|
|
|
|
|
|
.. admonition:: Additional Resources
|
|
|
|
|
|
|
|
Enterprise Grade Authorization - `Watch Webinar <https://hasura.io/events/webinar/authorization-modeling-hasura/?pg=docs&plcmt=body&cta=watch-webinar&tech=>`__.
|