You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/quick-starts/database/hasura/README.mdx
+99Lines changed: 99 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -6,3 +6,102 @@ sidebar_custom_props:
6
6
---
7
7
8
8
# Integrate Logto with Hasura
9
+
10
+
[Hasura](https://hasura.io/) is a tool that can quickly provide corresponding GraphQL and REST APIs fit your data. Considering data security, Hasura also provides the ability to fine-tune access control for each different API.
11
+
12
+
Usually, Hasura users utilize other identity management and authentication services, Logto being a very popular one among them.
13
+
14
+
In this blog post, we will assume that you are already using Hasura services. We will introduce how to integrate Hasura and Logto to maximize the security of your data. If you do not have a Logto account, sign up and start using it now!
15
+
16
+
## Background
17
+
18
+
Hasura employs [role-based access management](https://hasura.io/docs/latest/auth/overview/), while Logto uses the standard [Role-based access control (RBAC)](https://docs.logto.io/docs/recipes/rbac/).
19
+
20
+
In Logto's model and best practices for RBAC, we advise users to use `scope` to correspond to the finest granularity of permissions, use `role` as a bunch of `scope`s for convenient batch operations, and ultimately check `scope` (usually on resource providers' side) to verify whether a user can perform a specific operation.
21
+
22
+
In Hasura, a `role` corresponds to the finest granularity of permissions, and permission checks are carried out against `role`s. Therefore, during the configuration of Logto, we recommend mapping one `role` to exactly one `scope`. This approach can link Logto's and Hasura's permissions together to avoid confusion and misuse.
23
+
24
+
Hasura can support access control using Webhooks or JWT. Our previous [blog post](https://docs.logto.io/blog/logto-x-hasura/) introduced how to use Webhooks, and in the following sections, we will explain how to utilize Hasura's JWT mode access control.
25
+
26
+
## Get started
27
+
28
+
Let's start with a simple example. Suppose a user already has two APIs in Hasura, `GET /user` and `PATCH /user`, corresponding to two roles: `user:reader` and `user:maintainer`, respectively.
29
+
30
+
### 1. Create Hasura API resource in Logto
31
+
32
+
Create a Hasura API resource in Logto.
33
+
34
+
35
+
36
+
### 2. Create roles according to Hasura setup in Logto
37
+
38
+
We need to create two `scope`s for the Hasura API resource mentioned in step 1, namely `read:user` and `maintain:user`, and then create two roles: `user:reader` (containing the `read:user` scope) and `user:maintainer` (including the `maintain:user` scope) to correspond one-to-one with Hasura's roles. And assign these roles to Logto users as needed.
39
+
40
+
By looking into [Hasura JWT configuration options](https://hasura.io/docs/latest/auth/authentication/jwt/#hasura-jwt-configuration-options), we need to add and configure the environment variable `HASURA_GRAPHQL_JWT_SECRET` before we can use JWT for access control.
49
+
50
+
There are many different options that can be configured, but here we introduce the simplest case: only the `jwk_url` needs to be configured. This value can be obtained from your Logto's OpenID configuration endpoint (https://your.logto.domain/oidc/.well-known/openid-configuration).
51
+
52
+
53
+
54
+
### 4. Customize user access token extra claims
55
+
56
+
Using Logto's Custom JWT feature, customize the logic to add extra claims to the JWT-format user access token.
Customize the `getCustomJwtClaims` method to add data in the JWT that Hasura relies on for implementing access control. This can include data related to the user being authorized during that instance, including `role`s they possess, which can be accessed through `context`.
61
+
62
+
We have also defined an environment variable `USER_DEFAULT_ROLE_NAMES` to avoid hardcoding.
63
+
64
+
### 5. Integrate Logto SDK
65
+
66
+
After configuring Logto and Hasura, integrate your app with the Logto SDK. Here we use a React example to preview the user access token issued by Logto after user sign-in.
67
+
68
+
69
+
70
+
First, we assign the previously created `user:reader` and `user:maintainer` roles to the user, and then log in as that user.
71
+
72
+
```tsx
73
+
const config:LogtoConfig= {
74
+
endpoint: 'http://localhost:3001',
75
+
appId: '<your-application-id>',
76
+
appSecret: '<your-application-secret>',
77
+
scopes: [
78
+
...// existing scopes
79
+
'read:user',
80
+
'maintain:user',
81
+
],
82
+
resources: [
83
+
...// existing resources
84
+
'https://*.hasura.app/api',
85
+
],
86
+
};
87
+
```
88
+
89
+
Obtain the user access token and request Hasura APIs:
In this article, we provide another method of JWT-based access control supported by Hasura, other than Webhook.
102
+
103
+
By comparing the processes of Hasura's [Webhook](https://hasura.io/docs/latest/auth/authentication/webhook/) and [JWT](https://hasura.io/docs/latest/auth/authentication/jwt/) access control, we can see that the Webhook approach sends a Webhook to Logto and waits for a response with every Hasura request; whereas the JWT-based approach can continuously be used until the JWT expires.
104
+
105
+
The JWT approach can reduce network load and eliminate the network latency brought by Webhooks; meanwhile, the Webhook approach can synchronize changes in user permissions in real-time.
106
+
107
+
Users can choose the appropriate approach based on these conclusions, combined with their actual business needs.
0 commit comments