Skip to content
A toolset for authorizing access to graph types for GraphQL .NET.
Branch: master
Clone or download
Latest commit bc3b36e Jan 18, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
src Bump to 2.1 Jan 18, 2019
tools Bump to 2.0 release (#12) Aug 15, 2018
.editorconfig Code Jul 29, 2017
.gitignore Check ResolvedType for authorization policies (#9) Jun 12, 2018 Code Jul 29, 2017
yarn.lock Add build system Aug 2, 2017

GraphQL Authorization

Build Status NuGet Join the chat at

A toolset for authorizing access to graph types for GraphQL .NET.


  • Register the authorization classes in your container (IAuthorizationEvaluator, AuthorizationSettings, and the AuthorizationValidationRule).
  • Provide a UserContext class that implements IProvideClaimsPrincipal.
  • Add policies to the AuthorizationSettings.
  • Apply a policy to a GraphType or Field (which implement IProvideMetadata) using AuthorizeWith(string policy).
  • The AuthorizationValidationRule will run and verify the policies based on the registered policies.
  • You can write your own IAuthorizationRequirement.
  • Use GraphQLAuthorize attribute if using Schema + Handler syntax.


public static void AddGraphQLAuth(this IServiceCollection services)
    services.TryAddSingleton<IHttpContextAccessor, HttpContextAccessor>();
    services.TryAddSingleton<IAuthorizationEvaluator, AuthorizationEvaluator>();
    services.AddTransient<IValidationRule, AuthorizationValidationRule>();

    services.TryAddSingleton(s =>
        var authSettings = new AuthorizationSettings();

        authSettings.AddPolicy("AdminPolicy", _ => _.RequireClaim("role", "Admin"));

        return authSettings;

public static void UseGraphQLWithAuth(this IApplicationBuilder app)
    var settings = new GraphQLSettings
        BuildUserContext = ctx =>
            var userContext = new GraphQLUserContext
                User = ctx.User

            return Task.FromResult(userContext);

    var rules = app.ApplicationServices.GetServices<IValidationRule>();


public class GraphQLUserContext : IProvideClaimsPrincipal
    public ClaimsPrincipal User { get; set; }

public class GraphQLSettings
    public Func<HttpContext, Task<object>> BuildUserContext { get; set; }
    public object Root { get; set; }
    public List<IValidationRule> ValidationRules { get; } = new List<IValidationRule>();

GraphType first syntax - use AuthorizeWith.

public class MyType : ObjectGraphType
    public MyType()

Schema first syntax - use GraphQLAuthorize attribute.

[GraphQLAuthorize(Policy = "MyPolicy")]
public class MutationType
    [GraphQLAuthorize(Policy = "AnotherPolicy")]
    public async Task<string> CreateSomething(MyInput input)
        return Guid.NewGuid().ToString();

Known Issues

  • It is currently not possible to add a policy to Input objects using Schema first approach.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.