graphql-engine/docs/graphql/manual/auth/authentication/index.rst

.. meta::
   :description: Manage authenticaton with Hasura
   :keywords: hasura, docs, authentication, auth

.. _authentication:

Authentication
==============

.. contents:: Table of contents
  :backlinks: none
  :depth: 1
  :local:

Overview
--------

Authentication is handled outside of Hasura. Hasura delegates authentication and resolution of request
headers into session variables to your authentication service *(existing or new)*.

Your authentication service is required to pass a user's **role** information in the form of session
variables like ``X-Hasura-Role``, etc. More often than not, you'll also need to pass user information
for your access control use cases, like ``X-Hasura-User-Id``, to build permission rules.

You can also configure Hasura to allow access to unauthenticated users by configuring a specific role
which will be set for all unauthenticated requests.

Authentication options
----------------------

Hasura supports two modes of authentication configuration:

1. Webhook
^^^^^^^^^^

Your auth server exposes a webhook that is used to authenticate all incoming requests
to the Hasura GraphQL engine server and to get metadata about the request to evaluate access control
rules.

Here's how a GraphQL request is processed in webhook mode:

.. thumbnail:: /img/graphql/manual/auth/auth-webhook-overview.png
   :alt: Authentication using webhooks

2. JWT (JSON Web Token)
^^^^^^^^^^^^^^^^^^^^^^^

Your auth server issues JWTs to your client app, which, when sent as part
of the request, are verified and decoded by the GraphQL engine to get metadata about the request to
evaluate access control rules.

Here's how a GraphQL query is processed in JWT mode:

.. thumbnail:: /img/graphql/manual/auth/auth-jwt-overview.png
   :alt: Authentication using JWT

**See more details at:**

.. toctree::
  :maxdepth: 1

  Using webhooks <webhook>
  Using JWT <jwt>
  Unauthenticated access <unauthenticated-access>
docs: add meta descriptions to pages (#3631) 2020-01-14 15:57:45 +03:00			`.. meta::`
			`:description: Manage authenticaton with Hasura`
			`:keywords: hasura, docs, authentication, auth`

docs: replace doc with ref (close #4054) (#4068) 2020-03-11 22:42:36 +03:00			`.. _authentication:`

revert auth heading changes in docs (#3992) 2020-03-02 14:24:19 +03:00			`Authentication`
			`==============`
update auth docs (#1796) 2019-05-17 15:03:35 +03:00
			`.. contents:: Table of contents`
			`:backlinks: none`
			`:depth: 1`
			`:local:`

			`Overview`
			`--------`

fix typos in documentation (#2562) 2019-09-11 10:17:14 +03:00			`Authentication is handled outside of Hasura. Hasura delegates authentication and resolution of request`
update auth docs (#1796) 2019-05-17 15:03:35 +03:00			`headers into session variables to your authentication service (existing or new).`

			`Your authentication service is required to pass a user's role information in the form of session`
			variables like ``X-Hasura-Role``, etc. More often than not, you'll also need to pass user information
fix typos in documentation (#2562) 2019-09-11 10:17:14 +03:00			for your access control use cases, like ``X-Hasura-User-Id``, to build permission rules.
update auth docs (#1796) 2019-05-17 15:03:35 +03:00
add docs page for setting up unauthenticated acess (#3231) 2019-10-28 09:16:25 +03:00			`You can also configure Hasura to allow access to unauthenticated users by configuring a specific role`
			`which will be set for all unauthenticated requests.`

update auth docs (#1796) 2019-05-17 15:03:35 +03:00			`Authentication options`
			`----------------------`

			`Hasura supports two modes of authentication configuration:`

add docs page for setting up unauthenticated acess (#3231) 2019-10-28 09:16:25 +03:00			`1. Webhook`
			`^^^^^^^^^^`

			`Your auth server exposes a webhook that is used to authenticate all incoming requests`
			`to the Hasura GraphQL engine server and to get metadata about the request to evaluate access control`
			`rules.`

			`Here's how a GraphQL request is processed in webhook mode:`

docs: update image paths (#4649) 2020-05-05 06:52:08 +03:00			`.. thumbnail:: /img/graphql/manual/auth/auth-webhook-overview.png`
docs: add alt tags for all images (#3634) 2020-01-08 16:20:18 +03:00			`:alt: Authentication using webhooks`
add docs page for setting up unauthenticated acess (#3231) 2019-10-28 09:16:25 +03:00
			`2. JWT (JSON Web Token)`
			`^^^^^^^^^^^^^^^^^^^^^^^`
update auth docs (#1796) 2019-05-17 15:03:35 +03:00
add docs page for setting up unauthenticated acess (#3231) 2019-10-28 09:16:25 +03:00			`Your auth server issues JWTs to your client app, which, when sent as part`
			`of the request, are verified and decoded by the GraphQL engine to get metadata about the request to`
			`evaluate access control rules.`
update auth docs (#1796) 2019-05-17 15:03:35 +03:00
add docs page for setting up unauthenticated acess (#3231) 2019-10-28 09:16:25 +03:00			`Here's how a GraphQL query is processed in JWT mode:`
update auth docs (#1796) 2019-05-17 15:03:35 +03:00
docs: update image paths (#4649) 2020-05-05 06:52:08 +03:00			`.. thumbnail:: /img/graphql/manual/auth/auth-jwt-overview.png`
docs: add alt tags for all images (#3634) 2020-01-08 16:20:18 +03:00			`:alt: Authentication using JWT`
update auth docs (#1796) 2019-05-17 15:03:35 +03:00
add docs page for setting up unauthenticated acess (#3231) 2019-10-28 09:16:25 +03:00			`See more details at:`
update auth docs (#1796) 2019-05-17 15:03:35 +03:00
			`.. toctree::`
			`:maxdepth: 1`

			`Using webhooks <webhook>`
			`Using JWT <jwt>`
add docs page for setting up unauthenticated acess (#3231) 2019-10-28 09:16:25 +03:00			`Unauthenticated access <unauthenticated-access>`