This repository demonstrates how to setup a coprocessor with the Router to do external authentication. This can be used for service-to-service authentication, for populating claims based on an opaque token, enriching a JWT with additional scopes, etc.
Note: To run this example, you will need a GraphOS Enterprise plan and must create
/router/.envbased on/router/.env.examplewhich exportsAPOLLO_KEYandAPOLLO_GRAPH_REF.
- Run the subgraph from the
/subgraphdirectory withnpm run dev - Run the auth-service from the
/auth-servicedirectory withnpm run dev - Run the coprocessor from the
/coprocessordirectory withnpm run dev - In the
/routerdirectory, download the router by running./download_router.sh - In the
/routerdirectory, compose the schema by running./create_local_schema.sh - In the
/routerdirectory, run the router by running./start_router.sh
Now if you run this code in the browser (http://127.0.0.1:4000/), you will be able to query the router.
In router/router-config.yaml, the coprocessor is configured with the Router to be called for all subgraphs on the subgraph and router request stages.
In coprocessor/src/index.js, the coprocessor is setup with express to listen to the / POST endpoint and respond to the SubgraphRequest or RouterRequest stages.
In the processRouterRequestStage function, an external service is called and the resulting token is stored in the Router context value authentication::authToken.
In the processSubgraphStage function, the authentication::authToken context value is retrieved and attached to the outgoing headers.
Note that this also demonstrates how to attach claims for authZN directives and how to attach a larger token to the body.extensions instead of a header.
In subgraph/src/index.js, it is demonstrated how to extract the authToken in the subgraph from either the headers or the body.extensions.