Authentication principal Spring security

[FranBisquerra]

First of all, thank you for your job!

I am building the API as an oauth2 resource server, I've configured spring security and processed a jwt that gets stored along some user details, a pretty straightforward implementation.
I have implemented a directive to expose the queries and mutations based on the authorities of the principal, I've managed to get the request in the directive via the graphql context but I can't find a way to get the Authentication object from the ReactiveSecurityContext...

Would you have any recommendations or guidelines that I could follow?

Thanks!

[dariuszkuc]

I haven't tried it myself but I'd assume you would build out your ReactiveSecurityContext in a webfilter which would run before GraphQL context webfilter. Then in the context webfilter you could access the authentication object and populate the context as needed.

[FranBisquerra]

The problem that I have is that i can't retrieve the ReactiveSecurityContext inside the executed query, as far as I can see only the graphQLContext is added to the execution input in the SimpleQueryHandler. Therefore the Authentication is lost and annotations like @PreAuthorize will rely on the default anonymous user.

Not sure if I am correct as I am new to reactive programming.. Does it makes any sense to you?

Would there be a way to keep the rest of reactor contexts in the query to perform things like @PreAuthorize or get the Authentication in directives.

[dariuszkuc]

SpringBoot 2.x introduced full interop between Reactor and Coroutines. If in your security web filter you store ReactiveSecurityContext inside the subscriber context you can read it in context web filter and populate your GraphQL context accordingly.

AFAIK Spring security annotations won't work on GraphQL methods but you could use directives to achieve the same (directives would use information from your GraphQL context).

[FranBisquerra]

I Finally managed to get the security context, I did it this way and I think is non blocking..

    @ExperimentalCoroutinesApi
    @Suppress("ForbiddenVoid")
    override fun filter(exchange: ServerWebExchange, chain: WebFilterChain): Mono<Void> =
            if (isApplicable(exchange.request.uri.path)) {
                mono {
                    contextFactory.generateContext(getSecurityContext(coroutineContext[ReactorContext]!!)?.awaitFirstOrNull())
                }.flatMap { graphQLContext ->
                    chain.filter(exchange).subscriberContext { it.put(GRAPHQL_CONTEXT_KEY, graphQLContext) }
                }
            } else {
                chain.filter(exchange)
            }


    @ExperimentalCoroutinesApi
    private fun getSecurityContext(reactorContext: ReactorContext): Mono<SecurityContext>? {
        return reactorContext.context.getOrDefault<Mono<SecurityContext>>(SecurityContext::class.java, null)
    }

Correct me please if I'm wrong.

Then in the directive...

class AuthorizationDataFetcher(
        private val originalDataFetcher: DataFetcher<Any>,
        private val roles: Array<String>) : DataFetcher<Any> {

    override fun get(environment: DataFetchingEnvironment): Any {
        val ropittGraphQLContext = environment.getContext<RopittGraphQLContext>()
        return if (ropittGraphQLContext.securityContext != null) {
            val authorities = ropittGraphQLContext.securityContext.authentication.authorities.filter {
                roles.contains(it.authority)
            }
            if (authorities.isNotEmpty()) {
                originalDataFetcher.get(environment)
            } else {
                throw Exception("Can only access this resource with roles: ${roles.joinToString(", ")}")
            }
        } else {
            originalDataFetcher.get(environment)
        }
    }
}

And then I end up doing this...

   @Authorization(["ROLE_ADMIN"])
    suspend fun people(context: RopittGraphQLContext, count: Int): MutableList<PersonDTO> {
        return apiPersonService.getPeople(count).awaitFirst()
    }

There is only one small question left, as you can see I'm raising an exception and Can you think of a better way to prevent the access to the resource, are there any performance inconvenient in raising an exception there.

Thanks!

[dariuszkuc]

If user tries to access some unauthorized field then I think throwing exception is the right way to go.

---

Side note if SecurityContext is already part of reactor context you can read it directly in your GraphQLContextFactory, e.g.

class CustomContextFactory : GraphQLContextFactory<CustomContext> {

  override suspend fun generateContext(request: ServerHttpRequest, response: ServerHttpResponse): CustomContext {
    val reactorContext = coroutineContext[ReactorContext]?.context ?: throw RuntimeException("reactor context unavailable")
    val securityContext = reactorContext.getOrDefault(SecurityContext::class, null)
    return CustomContext(securityContext = securityContext)
  }
}

[rowi1de]

Thanks for the example, I think one this is different: RopittGraphQLContext probably contains Mono<SecurityContext> instead of just SecurityContext?
Created a follow up #758

[ermadmi78]

Hi All.

See schema-first Kotlin Spring Boot GraphQL Server with Spring Security authentication and authorization example here:
https://github.com/ermadmi78/kobby-gradle-example