Service

import ballerina/graphql;

listener graphql:Listener securedEP = new(9090,
    secureSocket = {
        key: {
            certFile: "../resource/path/to/public.crt",
            keyFile: "../resource/path/to/private.key"
        }
    }
);

// The service can be secured with JWT Auth and can be authorized
// optionally. JWT Auth can be enabled by setting the
// `graphql:JwtValidatorConfig` configurations.
// Authorization is based on scopes. A scope maps to one or more groups.
// Authorization can be enabled by setting the `string|string[]` type
// configurations for `scopes` field.
@graphql:ServiceConfig {
    auth: [
        {
            jwtValidatorConfig: {
                issuer: "wso2",
                audience: "ballerina",
                signatureConfig: {
                    certFile: "../resource/path/to/public.crt"
                },
                scopeKey: "scp"
            },
            scopes: ["admin"]
        }
    ]
}
service /graphql on securedEP {
    resource function get greeting() returns string {
        return "Hello, World!";
    }
}

Service - JWT Auth

A GraphQL service can be secured with JWT and by enforcing authorization optionally. Then, it validates the JWT sent in the Authorization header against the provided configurations.
Ballerina uses the concept of scopes for authorization. A resource declared in a service can be bound to one/more scope(s). The scope can be included in the JWT using a custom claim attribute. That custom claim attribute also can be configured as the scopeKey.
In the authorization phase, the scopes of the service are compared against the scope included in the JWT for at least one match between the two sets.

For more information on the underlying module, see the JWT module.

< PREVIOUS

Service - Basic Auth LDAP user store

NEXT >

Service - OAuth2

import ballerina/graphql;

listener graphql:Listener securedEP = new(9090,
    secureSocket = {
        key: {
            certFile: "../resource/path/to/public.crt",
            keyFile: "../resource/path/to/private.key"
        }
    }
);

@graphql:ServiceConfig {
    auth: [
        {
            jwtValidatorConfig: {
                issuer: "wso2",
                audience: "ballerina",
                signatureConfig: {
                    certFile: "../resource/path/to/public.crt"
                },
                scopeKey: "scp"
            },
            scopes: ["admin"]
        }
    ]
}
service /graphql on securedEP {
    resource function get greeting() returns string {
        return "Hello, World!";
    }
}

The service can be secured with JWT Auth and can be authorized optionally. JWT Auth can be enabled by setting the graphql:JwtValidatorConfig configurations. Authorization is based on scopes. A scope maps to one or more groups. Authorization can be enabled by setting the string|string[] type configurations for scopes field.

# You may need to change the certificate file path and private key file path.
bal run graphql_service_jwt_auth.bal