Add support for endpoint authorization

[johnrutherford]

Make all IAppBuilders extension methods consistent
Add more tests

[RehanSaeed]

I would suggest modelling this after the [Authorize] attribute in ASP.NET Core. In that attribute you can pass:

• AuthenticationSchemes - (This is a comma delimeted string but only because you can't pass an array to an attribute). I think this one is important to provide an overload for.
• RoleName - I would recommend using policies but some people like to shoot themselves in the foot and use role names.
• ActiveAuthenticationSchemes - This is obsolete. Do not add this.

Also, is the authorization repo dead? I literally submitted a PR yesterday to use the ASP.NET Core Authorization package.

[johnrutherford]

I think it's best to keep this simple. You can create a policy that specifies the authentication schemes or require role(s). I used a role check for the tests in Transports.AspNetCore.Tests\AuthenticatedTestStartup.cs.

I think the stuff in the authorization repo is more for authorizing individual nodes. I felt there was a separate need to support transport authorization of the endpoint that integrates with ASP.NET Core authentication and will trigger the authentication challenge or forbidden responses.

[RehanSaeed]

Is the reason this is called AddHttpAuthorization, because subscriptions don't support auth?

[johnrutherford]

It was more to differentiate it from the authorization of the GraphQL nodes.

I also added authorization support for the WebSocket transport. WebSockets still uses HTTP(S) before the connection is upgraded.

[RehanSaeed]

Ok, I understand this now. So AuthorizationPolicyName is like a default policy for the entire API. When you call Microsofts AddAuthorization function you can already set a default policy there, so I don't think you need this:

services.AddAuthorization(options => options.DefaultPolicy = "FooPolicy");

I think you should take a look at the code from my PR graphql-dotnet/authorization#13 to be able to add auth policies to individual graph fields or graph types.

[RehanSaeed]

I think UseAuthorization() actually applies the DefaultPolicy above. So there is already middleware that will achieve this built into ASP.NET Core.

[johnrutherford]

Do you know what package UseAuthorization() is in? I can't find it. I looked for a generic middleware that would do that, but I couldn't find one.

[johnrutherford]

Confirmed it doesn't exist: https://github.com/aspnet/Security/issues/1734.

[RehanSaeed]

You're absolutely right, I must have imagined it. Looks like they are planning to add a middleware to do this though. If we can't wait for Microsoft to implement it, perhaps it should be a separate UseDefaultAuthorizationPolicy middleware.

Either way, we should still not add AuthorizationPolicyName to GraphQLHttpMiddlewareOptions. Instead we should use DefaultPolicy in the authorization options.

[johnrutherford]

I thought about using the DefaultPolicy, but what if you want to use the default policy for MVC and a different policy for your GraphQL endpoint? With the AuthorizationPolicyName you're able to specify whichever policy you want to use.

[joemcbride]

I like the passing of a policy name vs. using DefaultPolicy for the reasons @johnrutherford gave.

[RehanSaeed]

You can run multiple apps in a single ASP.NET Core application with separate DI containers, see blog post. Not well known you can do this.

[joemcbride]

I'm a bit concerned about adding "yet another project" that will have to be packaged as another nuget. FubuMVC ran into this issue of tons of different nuget packages and eventually consolidated everything. Since this is a shared dependency I think it should just be added to the Core project.

[johnrutherford]

Yeah, I was unsure since it brought in additional dependencies, but I think the consolidation would be better.

[joemcbride]

I like the passing of a policy name vs. using DefaultPolicy for the reasons @johnrutherford gave.

[joemcbride]

🎉 Like the namespace cleanup.

[joemcbride]

Just to clarify here, this doesn't need to call the next Middleware because this auth check failed and it should be calling Forbid or Challenge?

[johnrutherford]

Correct.

[joemcbride]

If it reaches here, it appears that we're missing a authorizeResult case (or it should perhaps never be possible to happen?). Should this throw or set a http status code? Since we're not invoking the next middleware it seems this request will just stop without providing any result.

throw new InvalidOperationException("this should never be reached")

[johnrutherford]

It shouldn't happen. Yeah, I think it would be a good idea to throw an exception there.

[joemcbride]

To be consistent perhaps use HttpStatusCode.MethodNotAllowed here and cast it to int. That should remove the need for the comment.

[benmccallum]

The recommended approach from MS is now to use Microsoft.AspNetCore.Http.StatusCodes, as it's a static class with const fields therefore implying more codes can come as opposed to the old HttpStatusCode enum. Don't have a source, they explained it better, was in an aspnet repo though.

[johnrutherford]

@joemcbride pushed some additional changes based on your feedback.

[pekkah]

Is this now obsolete?

[johnrutherford]

I think there is still a use for it. It allows you to authorize access to the entire endpoint. If the request is not authorized, none of the GraphQL code will be run. If you are relying only on authorization within GraphQL, there is more of a performance cost with the GraphQL execution and checking authorization on nodes.

This will also return standard HTTP status codes (i.e., 401 or 403) to indicate to clients that the request was unauthorized/forbidden. This makes it easier for the client to know to re-authenticate the user. Otherwise, the client needs to parse errors in the GraphQL response to look for a specific message.

I am currently achieving the same result using a custom AuthorizationMiddleware like this:

app.Map("/graphql", branch =>
{
    branch.UseAuthorization(Policies.GraphQL);
    branch.UseGraphQL<MySchema>("");
});

I would prefer something like this:

app.UseGraphQL<MySchema>(opts => opts.AuthorizationPolicyName = Policies.GraphQL);

[sungam3r]

@johnrutherford Is this PR still relevant after #440 ?

[sungam3r]

I see that at least part of the changes in this PR does what has already been done. Some of the code has already been deprecated and has been removed. The remaining code, as I understand it, establishes certain authorization rules. Authorization is now encapsulated in a separate project. Will you keep working on this PR or is it not worth it?

[sungam3r]

@johnrutherford @RehanSaeed friendly bump

[sungam3r]

@johnrutherford If there is no more work on this PR, then I'm going to close it after the merging #477 . Otherwise, you need to resolve conflicts and update this PR to target on the develop branch.

[sungam3r]

Closed as stale.