graphcool provides a very course integration with auth0 JWT. If the JWT data is available inside the permission query, fine-grained access would be possible. The permission flow would be like this:
Check JWT validity - check if the user is authenticated. This already exists.
Use JWT data for further authorization logic, which could be:
general access for all types and fields based on other fields. For example, having a approved field in the JWT data would require a user to be approved (by a user admin) before (s)he can do something
specific very fine-grained access in the permission query, in which on could check for certain roles, permissions or groups in the JWT. For example, a app_metadata/role/admin can perform mutations and creations, while a app_metadata/role/user can only view data. Or even field-specific stuff.
Leaving user management in auth0 has, in certain cases, quite some advantages, the main one: a user admin can handle the auth0 dashboard, but may not be able to understand how to work with a database such as graphcool. It's just about decoupling user management (incl. roles/groups/permissions) from database and app logic.
FR: make JWT payload/data available in the permission query.
Issue by kurt-o-sys Friday Jun 16, 2017 at 14:19 GMT Originally opened as https://github.com/graphcool/prisma/issues/251
graphcool provides a very course integration with
auth0
JWT. If the JWT data is available inside the permission query, fine-grained access would be possible. The permission flow would be like this:approved
field in the JWT data would require a user to be approved (by a user admin) before (s)he can do somethingapp_metadata/role/admin
can perform mutations and creations, while aapp_metadata/role/user
can only view data. Or even field-specific stuff.Leaving user management in auth0 has, in certain cases, quite some advantages, the main one: a user admin can handle the auth0 dashboard, but may not be able to understand how to work with a database such as graphcool. It's just about decoupling user management (incl. roles/groups/permissions) from database and app logic.
FR: make JWT payload/data available in the permission query.