Sign up for Hasura Newsletter
Loading...

Authorizer

What is Authorizer

Authorizer is a database-independent open-source authentication and authorization solution.

In this section, you will learn how to integrate Authorizer with your Hasura instance and have authorized GraphQL API ready for your application.

How to integrate Authorizer

Step 1: Deploy Authorizer Instance

To integrate Authorizer with Hasura, you need to deploy an Authorizer instance on your infrastructure or a third-party cloud service. You can deploy an Authorizer instance using the following one-click deployment options:

Infra providerOne-click linkAdditional information
Railway.appDeploy on Railwaydocs
HerokuDeploy to Herokudocs
Renderrender buttondocs

You can also deploy an Authorizer instance using:

Note: With a one-click deployment option like Railway, the template configuration also deploys Postgres + Redis for you. If you use other deployment options, the required environment variables are DATABASE_TYPE & DATABASE_URL. You can also configure REDIS_URL to have persisted sessions. For more information check docs.

With Hasura, the database type needs to be either Postgres, SQL Server, or Yugabyte. Then you connect the database with the Authorizer instance via Database Environment Variables. As Hasura supports more databases, this list could change.

Step 2: Configure Authorizer instance

It's recommended to configure a sub-domain for your Authorizer instance. For example, auth.yourdomain.com.

After deploying the Authorizer instance, open the dashboard to start the configuration process. In the Authorizer dashboard, you can configure:

  • Social media logins
  • JWT key & secrets
  • User roles
  • Whitelist domains
  • Company information
  • Features
  • Access Token data
  • SMTP server
  • Webhooks
  • Email templates

Additionally, you can invite and manage users in the dashboard itself.

Step 3: Set up Hasura instance

The quickest way to set up a Hasura instance is via Hasura Cloud.

Deploy to Hasura button

Step 4: Configure Database with Hasura Instance

After creating the Hasura instance, you need to connect it to a database. Open the Hasura project console, navigate to the Data section and add a database.

Hasura database connection

Check the Hasura docs for more information on how to get started with Hasura Cloud.

Note: If you chose a one-click deployment option for Authorizer, you can get the database URL from the respective platform's env section.

Step 5: Configure JWT token with Hasura

Open the Authorizer dashboard, navigate to the JWT Secrets section, and retrieve the "JWT Type" and "Secret/Public Key".

Authorizer JWT Secrets section

After that, open the Hasura dashboard and navigate to the Env vars section in your project's settings.

Add the following env variable to configure the JWT token:

HASURA_GRAPHQL_JWT_SECRET: {"type": <JWT_TYPE>, "key": <JWT_KEY>}

The image illustrates the process of adding the JWT token in Hasura.

Add env var in Hasura

Note: In the case of RSA and ECDSA JWT types, the public key comes only in the PEM encoded string format. You can get the JWT type and key from the env variables section in the Authorizer dashboard.

Check the Hasura Docs to learn more about JWT authentication.

Step 6: Configure JWT token Authorization Script

For Hasura to authorize a user, the JWT token must have specific keys. You can add those keys by modifying the JWT token in your Authorizer Dashboard.

function(user,tokenPayload) {
var data = tokenPayload;
data['https://hasura.io/jwt/claims'] = {
'x-hasura-user-id': user.id,
'x-hasura-default-role': tokenPayload.allowed_roles[0],
'x-hasura-allowed-roles': user.roles
}
return data;
}

Access token from Authorizer dashboard

The response of a successful login will contain an id_token. That id token is sent via the Authorization: Bearer ID_TOKEN header to make authorized requests.

You can configure access control for the various roles that your application needs from the Hasura console. Additionally, you can also add/update roles from the Authorizer dashboard.

The roles feature in Authorizer

For more information on access control basics, check the Hasura documentation.

Also, you can add the Authorizer GraphQL endpoint to Hasura as a remote schema. That way, you have a unified GraphQL API and single endpoint for all your GraphQL queries/mutations.

Did you find this page helpful?
Start with GraphQL on Hasura for Free
  • ArrowBuild apps and APIs 10x faster
  • ArrowBuilt-in authorization and caching
  • Arrow8x more performant than hand-rolled APIs
Promo
footer illustration
Brand logo
© 2022 Hasura Inc. All rights reserved
Github
Titter
Discord
Facebook
Instagram
Youtube
Linkedin