Forwarding Auth Context to/from Remote Schemas
Introduction
This page gives an overview of how Hasura allows you to pass auth context to your Remote Schema server.
Passing headers from Hasura to your Remote Schema
Hasura will forward the resolved x-hasura-* values as headers to your Remote Schema. You can use this information to apply authorization rules in your server. You don't have to redo authentication in your Remote Schema server.
You can also configure Hasura to have (as shown here):
- static header values that are sent to the remote server
- forward all headers from the client (like
Authorization,Cookieheaders etc.) - Fine grained access control
In case there are multiple headers with same name, the order of precedence is: configuration headers > resolved user (x-hasura-*) variables > client headers.
So for example, if the client sends an Authorization header, and the configuration also has an Authorization header, the configuration header value will selected.
The headers from the client behave similarly to the authorization system. If x-hasura-admin-secret is sent, then all x-hasura-* values from the client are respected, otherwise they are ignored.
Passing cookie headers from your Remote Schema to the client
Set-Cookie headers from your Remote Schema servers are sent back to the client over HTTP transport. Over websocket transport there exists no means of sending headers after a query/mutation and hence the "Set-Cookie" headers are not sent to the client. Use HTTP transport if your remote servers set cookies.
Data Federation with Hasura - Watch Webinar.
