.NET Core 6 Authentication/Authorization Issue

[davehog]

I have a bit of a strange conundrum here. We are running .NET Core 6 and just updated to GraphQL 7 (from 5) - we are using DI and MVC and have been running GraphQL.NET since version 3. Everything is working fine, except authorization seems to be either all or nothing. All would be acceptable except the Introspection endpoints need to allow anonymous so that our front end Apollo implementation can digest it without authenticating.

So, if I have the config.AuthorizationRequired = true; on in the Configure method, this works great and makes everything require authentication but then Apollo can't read the Introspection endpoints. This would be fine, and I could just add the [Authorize] attributes to the Queries and Mutations, but doing so doesn't appear to be working. When the attributes are present, or if I use this.Authorize() in the actual body of the methods, both scenarios allow unauthenticated users right through.

It seems like I have something misconfigured somewhere, or I have missed something, but I am not certain what it could be. Our authentication stuff is pretty vanilla .NET role-base auth.

Any direction you could provide would be helpful - happy to provide code samples if needed. Thank you!

[Shane32]

Endpoint authorization, as described here in the readme, is all-or-nothing and applies authorization policies prior to allowing any connection to the GraphQL endpoint, whether for introspection requests or otherwise.

Field/type authorization, as described here in the readme, will allow introspection requests, as introspection fields implicitly have [AllowAnonymous] set. If you need a global authorization policy set while allowing introspection requests, simply add the proper policy to the query, mutation and subscription types.

// code-first sample
public class QueryGraphType : ObjectGraphType
{
    public QueryGraphType()
    {
        this.AuthorizeWithRoles("Administrators");
        // fields here
        Field<string>("Hello").Resolve(_ => "World");
    }
}

// type-first sample
[Authorize(Roles = "Administrators")]
public class Query
{
    // fields here
    public static string Hello => "World";
}

//ditto for mutation and subscription types

If you those settings do not seem to work, be sure that you have called AddAuthorizationRule() within your call to AddGraphQL(). If using type-first with the [Authorize] attribute, be sure that you have the correct import and are using the GraphQL.AuthorizeAttribute attribute, rather than the Microsoft.AspNetCore.Authorization.AuthorizeAttribute.

[davehog]

This is great, @Shane32 , I very much appreciate the quick response! I did not have AddAuthorizationRule() in there, so I added it, but I still get the same behavior. What appears to be happening is that EndPoint authorization works great, but field/type authorization doesn't work at all. Here is what I have in my Startup.cs:

public void ConfigureServices(IServiceCollection services)
{
  // other startup code ... //
  services.AddGraphQL(builder => builder
      .AddSystemTextJson()
      .AddErrorInfoProvider(opts =>
      {
          opts.ExposeExceptionDetails = Environment.IsDevelopment();
      })
      .ConfigureExecutionOptions(options =>
      {
          options.EnableMetrics = Environment.IsDevelopment();
          var logger = options.RequestServices.GetRequiredService<ILogger<Startup>>();
          options.UnhandledExceptionDelegate = ctx =>
          {
              logger.LogError("{Error} occurred", ctx.OriginalException.Message);
              return Task.CompletedTask;
          };
      })
      .AddGraphTypes(typeof(AdminSchema).Assembly)
      .AddUserContextBuilder(context => new GraphQLUserContext(context))
      .AddDataLoader()
      .AddAuthorizationRule()
  );
  services.AddAuthorization();
  // other startup code ... //
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
  // other startup code ... //
    app.UseGraphQL<AdminSchema>("/graphql", config =>
    {
        // comment these out to turn off EndPoint auth
        config.AuthorizationRequired = true;
        config.AuthorizedRoles.Add("Member");
    });
  // other startup code ... //
}

And in my mutations (edited for brevity):

public class AdminMutations : AuthorizedGraph
{
  public AdminMutations(IUserService userService, IModerationAdminService moderationAdminService) : base(userService)
  {
      Name = "AdminMutations";
      Description = "Mutations performed on the admin objects";
      init(moderationAdminService);
  }

  private void init(IModerationAdminService moderationAdminService))
  {
    Field<ImageModerationOverrideType>("saveImageModerationOverride")
        .Description("Saves an ImageModerationOverride to the database, if no Id is supplied, it saves a new one, if Id is there, it will update.")
        .Arguments(new QueryArguments(new QueryArgument<NonNullGraphType<ImageModerationOverrideInputType>> { Name = "imageModerationOverride" }))
        .ResolveAsync(async context =>
        {
            try
            {
                var user = GetLoggedInUser(context.UserContext as GraphQLUserContext);
                var imageModerationOverride = context.GetArgument<ImageModerationOverrideModel>("imageModerationOverride");
                return await moderationAdminService.SaveImageModerationOverrideAsync(user, imageModerationOverride);
            }
            catch (UnauthorizedClientAccessException ucae)
            {
                throw new ExecutionError($"the user {ucae.User.AuditName} tried to modify an imageModerationOverride they do not have access to.");
            }
            catch (Exception e)
            {
                throw new ExecutionError("Error saving imageModerationOverride", e);
            }
        });
  }

Finally, the AuthorizedGraph base class:

[Authorize(Roles = "Member")]
public abstract class AuthorizedGraph : ObjectGraphType
{
    protected readonly IUserService UserService;

    protected AuthorizedGraph(IUserService userService)
    {
        UserService = userService;
    }

    protected UserModel GetLoggedInUser(GraphQLUserContext userContext)
    {
        return UserService.GetLoggedInUser(userContext.User?.Identity?.Name);
    }
}

Thanks again for your help - very much appreciated!

Dave

[Shane32]

The authorize attribute only works for type-first schemas. For code-first schemas, you need to call .AuthorizeWithRoles()

public abstract class AuthorizedGraph : ObjectGraphType
{
    protected readonly IUserService UserService;

    protected AuthorizedGraph(IUserService userService)
    {
        UserService = userService;
        this.AuthorizeWithRoles("Member");
    }

    protected UserModel GetLoggedInUser(GraphQLUserContext userContext)
    {
        return UserService.GetLoggedInUser(userContext.User?.Identity?.Name);
    }
}

On a side note, IResolveFieldContext now has a User property which will/can carry the user principal. GraphQL.NET Server 7.x will pass the user identity from ASP.NET Core through this property. So you do not really need to carry it within your user context class if you do not wish to.

[davehog]

Ahh, that was it, many thanks @Shane32 , very much appreciate your help!

[Shane32]

use this.Authorize() in the actual body of the methods

Be sure not to call any authorization extension methods within a field resolver. At that point the field is already being executed, and has passed validation. Call .Authorize() on the field type outside of the resolver, within the constructor of the type.

// incorrect
Field<string>("Hello")
    .Resolve(_ =>
    {
        this.AuthorizeWithRoles("Administrators");
        return "World";
    });

// correct
Field<string>("Hello")
    .Resolve(_ => "World")
    .AuthorizeWithRoles("Administrators");

// it seems the .Authorize() extension is missing from the field builder, so for now, do this for .Authorize():
Field<string>("Hello")
    .Resolve(_ => "World")
    .FieldType.Authorize();

See graphql-dotnet/graphql-dotnet#3324 for fix to add .Authorize() and .AllowAnonymous() to field builders