You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
:description: This page describes how to set up authentication features in the Neo4j GraphQL Library.
3
3
4
-
Explicit authentication, configured using the `@authentication` directive, is only ever evaluated
5
-
during Cypher translation time, and unauthenticated requests with queries requiring authentication
6
-
will never reach the database.
4
+
The GraphQL Library offers the `@authentication` directive to configure authentication for certain operations and for different parts of your schema.
7
5
8
-
== Configuration
6
+
[NOTE]
7
+
Explicit authentication, configured with the `@authentication` directive, is only ever evaluated during Cypher translation time, and unauthenticated requests with queries requiring authentication never reach the database.
9
8
10
-
Authentication can be configured for an entire type, for example, the type `User`:
9
+
== Operations
10
+
11
+
Authentication can be configured to only be validated on certain operations:
12
+
13
+
* `CREATE`
14
+
* `READ`
15
+
* `AGGREGATE`
16
+
* `UPDATE`
17
+
* `DELETE`
18
+
* `CREATE_RELATIONSHIP`
19
+
* `DELETE_RELATIONSHIP`
20
+
* `SUBSCRIBE`
21
+
22
+
23
+
For instance, to only require authentication for the update or deletion of a user:
24
+
25
+
[source, graphql, indent=0]
26
+
----
27
+
type User @authentication(operations: [UPDATE, DELETE]) {
28
+
id: ID!
29
+
name: String!
30
+
password: String!
31
+
}
32
+
----
33
+
34
+
[NOTE]
35
+
If there is no `operations` argument with a list of operations, the GraphQL Library treats the authentication configuration as if the full list of operations had been provided.
36
+
37
+
38
+
== Scope
39
+
40
+
41
+
=== Global authentication
42
+
43
+
Athentication can be applied to the entire schema.
44
+
This ensures authentication is checked for every matching request.
45
+
46
+
Extend the schema:
47
+
48
+
[source, graphql, indent=0]
49
+
----
50
+
extend schema @authentication
51
+
----
52
+
53
+
The `operations` and `jwt` arguments can also be used when the directive is applied to a schema extension.
54
+
55
+
// ^ should we add links or provide examples?
56
+
57
+
=== Authentication for types
58
+
59
+
Authentication can be configured for an entire type:
11
60
12
61
[source, graphql, indent=0]
13
62
----
@@ -18,7 +67,7 @@ type User @authentication {
18
67
}
19
68
----
20
69
21
-
Authentication will thus be validated when any of the following operations are _attempted_:
70
+
With this configuration, authentication is validated when any of the following operations are _attempted_:
22
71
23
72
* *Create*: `createUsers` mutation, `create`, or `connectOrCreate` nested operation via a related type.
24
73
* *Read*: `users`, `usersConnection`, `usersAggregate` query, or access via related type.
@@ -28,7 +77,10 @@ Authentication will thus be validated when any of the following operations are _
28
77
* *Delete relationship*: `disconnect` nested operation via a related type.
29
78
* *Subscribe*: all subscription operations related to type `User`.
30
79
31
-
Additionally, the directive can be configured on a per-field basis, for example:
80
+
81
+
=== Authentication for fields
82
+
83
+
Authentication can be configured on a per-field basis, for example:
32
84
33
85
[source, graphql, indent=0]
34
86
----
@@ -39,37 +91,13 @@ type User {
39
91
}
40
92
----
41
93
42
-
This will only be evaluated in the following circumstances:
94
+
This is only evaluated under the following circumstances:
43
95
44
96
* The `password` field is set on either `create` or `update`.
45
97
* The `password` field is present in a selection set.
46
98
47
-
=== Operations
48
-
49
-
Authentication can be configured to only be validated on certain operations:
50
-
51
-
* `CREATE`
52
-
* `READ`
53
-
* `AGGREGATE`
54
-
* `UPDATE`
55
-
* `DELETE`
56
-
* `CREATE_RELATIONSHIP`
57
-
* `DELETE_RELATIONSHIP`
58
-
* `SUBSCRIBE`
59
-
60
99
61
-
For instance, to only require authentication for the update or deletion of a user:
62
-
63
-
[source, graphql, indent=0]
64
-
----
65
-
type User @authentication(operations: [UPDATE, DELETE]) {
66
-
id: ID!
67
-
name: String!
68
-
password: String!
69
-
}
70
-
----
71
-
72
-
=== Additional verification
100
+
== Additional verification
73
101
74
102
Additional checks against JWT claims can be performed together with authentication.
75
103
For instance, if it was a requirement that only users with the `admin` role can delete users:
@@ -81,18 +109,4 @@ type User @authentication(operations: [DELETE], jwt: { roles_INCLUDES: "admin" }
81
109
name: String!
82
110
password: String!
83
111
}
84
-
----
85
-
86
-
== Global authentication
87
-
88
-
Additionally, authentication can be applied to the entire schema.
89
-
This ensures authentication is checked for every matching request.
90
-
91
-
This is done via extending the schema:
92
-
93
-
[source, graphql, indent=0]
94
-
----
95
-
extend schema @authentication
96
-
----
97
-
98
-
The `operations` and `jwt` arguments can also be used when the directive is applied to a schema extension.
0 commit comments