graphql-engine/docs/graphql/manual/auth/index.rst

.. meta::
   :description: Manage GraphQL Authentication and Authorization with Hasura
   :keywords: hasura, docs, authentication, auth, authorization

.. _auth:

Authentication & Authorization
==============================

.. contents:: Table of contents
  :backlinks: none
  :depth: 1
  :local:

In Hasura, access control or authorization is based on **roles**. Let's take a look at how this works
when the GraphQL engine receives a request:

.. thumbnail:: ../../../img/graphql/manual/auth/auth-high-level-overview.png
   :alt: Authentication and authorization with Hasura

As you can see from this:

- **Authentication** is handled outside Hasura. Hasura delegates authentication and resolution of request
  headers into session variables to your authentication service *(existing or new)*.

  Your authentication service is required to pass a user's **role** information in the form of session
  variables like ``X-Hasura-Role``, etc. More often than not, you'll also need to pass user information
  for your access control use cases, like ``X-Hasura-User-Id``, to build permission rules.

- For **Authorization** or **Access Control**, Hasura helps you define granular role-based access control
  rules for every field in your GraphQL schema *(granular enough to control access to any row or
  column in your database)*.

  Hasura uses the role/user information in the session variables and the actual query itself to validate
  the query against the rules defined by you. If the query/operation is allowed, it generates an SQL
  query, which includes the row/column-level constraints from the access control rules, and sends it to
  the database to perform the required operation (*fetch the required rows for queries, insert/edit
  rows for mutations, etc.*).

**See more details about setting up authentication and access control at:**

.. toctree::
  :maxdepth: 1

  authentication/index
  authorization/index
docs: add meta descriptions to pages (#3631) 2020-01-14 15:57:45 +03:00			`.. meta::`
noop: replace subdomain links with subpath (#3869) Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> 2020-02-27 13:13:07 +03:00			`:description: Manage GraphQL Authentication and Authorization with Hasura`
docs: add meta descriptions to pages (#3631) 2020-01-14 15:57:45 +03:00			`:keywords: hasura, docs, authentication, auth, authorization`

docs: replace doc with ref (close #4054) (#4068) 2020-03-11 22:42:36 +03:00			`.. _auth:`

revert auth heading changes in docs (#3992) 2020-03-02 14:24:19 +03:00			`Authentication & Authorization`
			`==============================`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
add table of contents to docs pages (#1115) 2018-12-03 15:12:24 +03:00			`.. contents:: Table of contents`
			`:backlinks: none`
			`:depth: 1`
			`:local:`

update auth docs (#1796) 2019-05-17 15:03:35 +03:00			`In Hasura, access control or authorization is based on roles. Let's take a look at how this works`
fix typos in documentation (#2562) 2019-09-11 10:17:14 +03:00			`when the GraphQL engine receives a request:`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
update auth docs (#1796) 2019-05-17 15:03:35 +03:00			`.. thumbnail:: ../../../img/graphql/manual/auth/auth-high-level-overview.png`
docs: add alt tags for all images (#3634) 2020-01-08 16:20:18 +03:00			`:alt: Authentication and authorization with Hasura`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
update auth docs (#1796) 2019-05-17 15:03:35 +03:00			`As you can see from this:`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
update auth docs (#1796) 2019-05-17 15:03:35 +03:00			`- Authentication is handled outside Hasura. Hasura delegates authentication and resolution of request`
			`headers into session variables to your authentication service (existing or new).`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
update auth docs (#1796) 2019-05-17 15:03:35 +03:00			`Your authentication service is required to pass a user's role information in the form of session`
			variables like ``X-Hasura-Role``, etc. More often than not, you'll also need to pass user information
fix typos in documentation (#2562) 2019-09-11 10:17:14 +03:00			for your access control use cases, like ``X-Hasura-User-Id``, to build permission rules.
misc docs update (#1374) 2019-01-15 13:49:58 +03:00
update auth docs (#1796) 2019-05-17 15:03:35 +03:00			`- For Authorization or Access Control, Hasura helps you define granular role-based access control`
			`rules for every field in your GraphQL schema *(granular enough to control access to any row or`
			`column in your database)*.`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
update auth docs (#1796) 2019-05-17 15:03:35 +03:00			`Hasura uses the role/user information in the session variables and the actual query itself to validate`
fix typos in documentation (#2562) 2019-09-11 10:17:14 +03:00			`the query against the rules defined by you. If the query/operation is allowed, it generates an SQL`
update auth docs (#1796) 2019-05-17 15:03:35 +03:00			`query, which includes the row/column-level constraints from the access control rules, and sends it to`
			`the database to perform the required operation (*fetch the required rows for queries, insert/edit`
			`rows for mutations, etc.*).`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
update auth docs (#1796) 2019-05-17 15:03:35 +03:00			`See more details about setting up authentication and access control at:`
merge docs into main repo (close #397) (#398) 2018-09-11 14:11:24 +03:00
			`.. toctree::`
update auth docs (#1796) 2019-05-17 15:03:35 +03:00			`:maxdepth: 1`

			`authentication/index`
			`authorization/index`