Authorizer

What is Authorizer

Authorizer is a database-independent open-source authentication and authorization solution.

In this section, you will learn how to integrate Authorizer with your Hasura instance and have authorized GraphQL API ready for your application.

How to integrate Authorizer

Step 1: Deploy Authorizer Instance

To integrate Authorizer with Hasura, you need to deploy an Authorizer instance on your infrastructure or a third-party cloud service. You can deploy an Authorizer instance using the following one-click deployment options:

Infra provider	One-click link	Additional information
Railway.app		docs
Heroku		docs
Render		docs

You can also deploy an Authorizer instance using:

• Docker Image + Kubernetes
• Kubernetes HelmChart
• Binanry
• fly.io

Note: With a one-click deployment option like Railway, the template configuration also deploys Postgres + Redis for you. If you use other deployment options, the required environment variables are DATABASE_TYPE & DATABASE_URL. You can also configure REDIS_URL to have persisted sessions. For more information check docs.

With Hasura, the database type needs to be either Postgres, SQL Server, or Yugabyte. Then you connect the database with the Authorizer instance via Database Environment Variables. As Hasura supports more databases, this list could change.

Step 2: Configure Authorizer instance

It's recommended to configure a sub-domain for your Authorizer instance. For example, auth.yourdomain.com.

After deploying the Authorizer instance, open the dashboard to start the configuration process. In the Authorizer dashboard, you can configure:

• Social media logins
• JWT key & secrets
• User roles
• Whitelist domains
• Company information
• Features
• Access Token data
• SMTP server
• Webhooks
• Email templates

Additionally, you can invite and manage users in the dashboard itself.

Step 3: Set up Hasura instance

The quickest way to set up a Hasura instance is via Hasura Cloud.

Step 4: Configure Database with Hasura Instance

After creating the Hasura instance, you need to connect it to a database. Open the Hasura project console, navigate to the Data section and add a database.

Check the Hasura docs for more information on how to get started with Hasura Cloud.

Note: If you chose a one-click deployment option for Authorizer, you can get the database URL from the respective platform's env section.

Step 5: Configure JWT token with Hasura

Open the Authorizer dashboard, navigate to the JWT Secrets section, and retrieve the "JWT Type" and "Secret/Public Key".

After that, open the Hasura dashboard and navigate to the Env vars section in your project's settings.

Add the following env variable to configure the JWT token:

Copy
HASURA_GRAPHQL_JWT_SECRET: {"type": <JWT_TYPE>, "key": <JWT_KEY>}

The image illustrates the process of adding the JWT token in Hasura.

Note: In the case of RSA and ECDSA JWT types, the public key comes only in the PEM encoded string format. You can get the JWT type and key from the env variables section in the Authorizer dashboard.

Check the Hasura Docs to learn more about JWT authentication.

Step 6: Configure JWT token Authorization Script

For Hasura to authorize a user, the JWT token must have specific keys. You can add those keys by modifying the JWT token in your Authorizer Dashboard.

Copy
function(user,tokenPayload) {
  var data = tokenPayload;
  data['https://hasura.io/jwt/claims'] = {
    'x-hasura-user-id': user.id,
    'x-hasura-default-role': tokenPayload.allowed_roles[0],
    'x-hasura-allowed-roles': user.roles
  }

  return data;
}

The response of a successful login will contain an id_token. That id token is sent via the Authorization: Bearer ID_TOKEN header to make authorized requests.

You can configure access control for the various roles that your application needs from the Hasura console. Additionally, you can also add/update roles from the Authorizer dashboard.

For more information on access control basics, check the Hasura documentation.

Also, you can add the Authorizer GraphQL endpoint to Hasura as a remote schema. That way, you have a unified GraphQL API and single endpoint for all your GraphQL queries/mutations.