Docs
Launch GraphOS Studio

Authenticating requests with the Apollo Router

serverrouterauth

This feature is only available with a GraphOS Enterprise plan. If your organization doesn't currently have an Enterprise plan, you can test this functionality by signing up for a free Enterprise trial.

💡 TIP

If you're an enterprise customer looking for more material on this topic, try the Enterprise best practices: Router extensibility course on Odyssey.

Not an enterprise customer? Learn about GraphOS for Enterprise.

When using the Apollo as the entry point to your federated , you have a few options for authenticating incoming client requests:

In fact, we recommend you combine all three strategies to create a more robust authentication system!

Use Authorization Directives

In addition to the the approaches outlined below, you can use authorization directives to enforce authorization at the layer. This allows you to authorize requests prior to them hitting your s saving on bandwidth and processing time.

This is an Enterprise feature of the Apollo . It requires an organization with a GraphOS Enterprise plan.

ClientRouterSubgraphRequest with tokenValidate requestRespond 401 UnauthorizedRequest Dataalt[Request is invalid][Request is valid]ClientRouterSubgraph

Once the request's claims are made available via the JWT validation or a coprocessor, they can be used to match against the required type and scopes to enforce authorization policies.

# Request's authorization claims must contain `read:users`
type Query {
  users: [User!]! @requiresScopes(scopes: [["read:users"]])
}


# Request must be authenticated
type Mutation {
  updateUser(input: UpdateUserInput!): User! @authenticated
}

Pros:

  • Validating authorization before processing requests enables the early termination of unauthorized requests reducing the load on your services
  • Declarative approach that can be adopted and maintained by each while enforced centrally

Cons

  • updates will need to be made to each to opt into this authorization model

Authenticate in subgraphs

The simplest authentication strategy is to delegate authentication to your individual services.

ClientRouterSubgraphRequest with tokenRequest with tokenAuthenticate request with tokenClientRouterSubgraph

To pass Authentication headers from client requests to your s, add the following to your 's YAML configuration file:

headers:
  all:
    request:
      - propagate:
          named: authorization

Pros

  • Requires minimal changes to your configuration.
  • Can take advantage of existing authentication code in s, which is often tied to authorization logic for s.

Cons

  • Each that contributes to resolving a request needs to authenticate that request.
  • If s are written in different languages, maintaining consistent authentication code for each is complex.

Use the JWT Authentication plugin

As of Apollo v1.13, you can use the JWT Authentication plugin to validate JWT-based authentication tokens in your .

This is an Enterprise feature of the Apollo . It requires an organization with a GraphOS Enterprise plan.

ClientRouterJWKS EndpointSubgraphRequest with JWTFetch key setPublic keysValidate JWTExtract claims in RhaiRequest with extracted claims in headersCheck claims on headersClientRouterJWKS EndpointSubgraph
authentication:
  jwt:
    jwks:
      - url: https://dev-zzp5enui.us.auth0.com/.well-known/jwks.json

Pros:

  • The prevents unauthenticated requests from reaching your s.
  • The can extract claims from the JWT and pass them to your s as headers, reducing logic needed in your subgraphs.

Cons:

  • It supports only JWT-based authentication with keys from a JWKS endpoint.

Use a coprocessor

If you have a custom authentication strategy, you can use a coprocessor to implement it.

This is an Enterprise feature of the Apollo . It requires an organization with a GraphOS Enterprise plan.

ClientRouterCoprocessorSubgraphRequest with tokenRequest with headers and contextValidate requestRespond { control: { break: 401 } }Respond { control: "continue" }Can also add new headersalt[Request is invalid][Request is valid]Request with new headersCheck claims on headersClientRouterCoprocessorSubgraph
coprocessor:
  url: http://127.0.0.1:8081
  router:
    request:
      headers: true

This example coprocessor is written in Node.js and uses Express:

const app = express();
app.use(bodyParser.json());
app.post('/', async (req, res) => {
  const {headers} = req.body;
  const token = headers.authorization;
  const isValid = await validateToken(token);
  if (!isValid) {
    res.json({
      ...req.body,
      control: {break: 401}
    });
  } else {
    res.json({
      ...req.body,
      control: 'continue',
      headers: {'x-claims': extractClaims(token)}
    });
  }
});

Pros:

  • You can implement any authentication strategy in any language or framework, as long as the coprocessor provides an HTTP endpoint.
  • You can use the coprocessor to add headers to requests, which can be used by your s for additional authorization.

Cons:

  • The initial lift of implementing a coprocessor is non-trivial, but once it's in place you can leverage it for any number of customizations.

Combining authentication strategies

You can combine the strategies to handle a number of authentication requirements and practice "defense-in-depth":

  1. Use the JWT Authentication plugin to validate JWT-based authentication tokens.
  2. Use auth s to enforce authentication and authorization and at the layer
  3. Use a coprocessor to identify traffic using a legacy authentication strategy and convert legacy session tokens to JWTs.
  4. Forward JWTs to s for additional authorization.
Next
Home
Edit on GitHubEditForumsDiscord