fine-grained authorization with JWT token

[stevehu]

Unlike RESTful API, we have scope for each endpoint so that the authorization can be down to the endpoint. For GraphQL, there is only one endpoint with only two or three different type of requests. Need to find a way to protect individual query or mutation.

[maarek]

Can you expose the request to the execution context so that DataFetchers gain access to the JWT token during a request and authorization is deferred to the business layer?

http://graphql-java.readthedocs.io/en/latest/concerns.html#context-objects

[stevehu]

Yes. That is a very good idea. In the light-rest-4j we pass the payload of JWT in an exchange attachment for fine-grained authorization in the business context. Let me explore it a little bit and propose something for further discussion. Thanks.

[maarek]

I didn't realize that we already did this. I missed it when I commented last night. Thanks!