Allow anonymous schema introspection from federation gateway

[hrshv6]

Product

Hot Chocolate

Is your feature request related to a problem?

We have several graphql domain services we are federating through a gateway, via federation with schema polling → Federation with Polling

• Each of our domain services has a fallback authentication policy that enforces authentication on all end points in the service. This is in place so that a developer does not have to remember adding authentication to every end point.

Below screenshot shows a snip of how we add this fallback policy to our domain service:

• Our problem is that → this fallback authentication policy also enforces authentication on the “/graphql”endpoint produced by Hot Chocolate. This is fine, except for the purposes of schema introspection from the gateway. When the gateway starts up and polls for schemas, schema introspection fails with a 401-UnAuthorized response because the domain service is expecting authentication from caller (gateway)

Is there a setting in Hot Chocolate’s authorization middleware that will allow for anonymous introspection of schemas while requiring authentication on other types of queries?

We do have a temporary solution to get around this problem:

1. When calling MapGraphQL(), we open up the “/graphql” endpoint to be completely anonymous by calling AllowAnonymous()
2. Then we decorate our queries and mutations with the [Authorize] attribute which adds authentication to the “/graphql” endpoint.

We have already tried the following things in our domain services, to make schema introspection anonymous. But none of these have worked:

The solution you'd like

In this comment and this one in similar issues reported previously, you mentioned that it was now possible in Hot Chocolate.

Can you please provide instructions on how to allow schema introspection without being authenticated, or running into 401-Unauthorized responses? Thanks!

[michaelstaib]

There are I think some misconceptions ... The AllowAnonymous on MapGraphQL is transport authentication ... which has nothing to do with the GraphQL authorization. In most cases I would say this creates most problems.

You can secure your GraphQL types and remove and authentication from the MapGraphQL method.

[michaelstaib]

Have you considered just dumping the schema at build time ... its far more efficient.

[hrshv6]

Hi @michaelstaib No, we have not tried this --> "Have you considered just dumping the schema at build time ... its far more efficient."

Can you give us some clues on how we can do this, or where to start? Thanks!

[sc-cpais]

Did you end up finding any solution @hrshv6 ? I'm struggling with the same issue.