Authorization Webhooks

[ranjithrd]

Hello!
Hasura right now allows you to offload its authentication functionality to an external server via its webhook functionality.
It would be very helpful to developers on medium to large scale apps for Hasura to provide an authorization webhook, which could essentially help use tools such as OpenPolicyAgent, allowing reuse of authorization logic. Otherwise, a proper integration with OPA would also be very helpful.
Thanks!

[L-U-C-K-Y]

Hi all,

We have been evaluating Hasura for our infrastructure for quite a while and concluded that this is the only feature that is holding us back to deploy Hasura.

The issue is that in our system, different tenants have different roles and abilities/permissions.
So we need to fetch authorization details dynamically.

Using a webhook for authorization would be a great idea and we could implement our custom auth.

Are there any plans? @tirumaraiselvan @vaishnavigvs @0x777

Thanks!

Edit

If there are any "hacks" or workarounds known, happy to implement them as a temporary solution.

[L-U-C-K-Y]

Update: I was thinking that we could use the "Authentication Webhooks" feature and perform the Authorization check there.

As stated in the docs:

If you want to deny the GraphQL request, return a 401 Unauthorized exception.

1. So far, I was thinking that I can parse the webhook request and access the query key.
2. With the query key, I could use a GraphQL parser and get an entity type.
3. With the entity type as enum and the variables, I could perform certain validations.

It's not ideal, but a possibility, I'll keep on searching.

Upate

It got super hard and the more I try to integrate our Authorization logic, the more I realize it will not work with the above mentioned scenario.

Altough another idea came that we could front the Hasura instances with our own GraphQL server and then, the backend teams would prepare the queries and mutations for the frontend teams and in this way we can add as much authorization logic as required.

[nadendlaprasad]

Great to have an integration with OPA or a Webhook. I would appreciate any response on this feature

[kevinmichaelchen]

https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4

Since OPA policies are essentially just queries, the translation from Rego into another query language, like SQL, is relatively easy. As long as the policies expressed in Rego do not perform joins, we can translate sets of Rego queries into SQL expressions that get appended onto WHERE clauses.

It's an interesting thought!

[L-U-C-K-Y]

https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4

Since OPA policies are essentially just queries, the translation from Rego into another query language, like SQL, is relatively easy. As long as the policies expressed in Rego do not perform joins, we can translate sets of Rego queries into SQL expressions that get appended onto WHERE clauses.

It's an interesting thought!

While OPA is great, don't you think that we should keep the webhook as generic and open as possible?