Using Authorizer with Hasura
In this section you will learn how to integrate Authorizer with your Hasura instance and have authorized GraphQL API ready for your application.
Step 1: Deploy Authorizer Instance
To integrate Authorizer with Hasura, you will need an Authorizer instance deployed on your infrastructure or 3rd party cloud services. You can deploy authorizer instance using following one click deployment options:
| Infra provider | One-click link | Additional information |
|---|---|---|
| Railway.app |  | docs |
| Heroku |  | docs |
| Render |  | docs |
OR
You can also deploy Authorizer instance using
Note: If you are trying out with one click deployment options like railway then template is configured in a way that it will also deploy postgres + redis for you. For other deployment options, start the server with the required CLI flags:
./build/server --database-type=sqlite --database-url=test.db --jwt-type=HS256 --jwt-secret=test --admin-secret=admin --client-id=123456 --client-secret=secretYou can also configure
--redis-urlto have persisted sessions. For more information check Server Configuration.
In case of Hasura, we need to have database type as postgres / mysql or the one that is supported by Hasura and connect that database with Authorizer instance via Database Environment Variables.
Step 2: Configure Authorizer instance
Configure your Authorizer instance using CLI flags at startup. In v2, all configuration is passed via CLI flags (no dashboard-based env configuration). For example:
./build/server \
--database-type=postgres \
--database-url="postgres://user:pass@host:5432/authorizer" \
--jwt-type=HS256 \
--jwt-secret=test \
--admin-secret=admin \
--client-id=123456 \
--client-secret=secret \
--google-client-id=YOUR_GOOGLE_CLIENT_ID \
--google-client-secret=YOUR_GOOGLE_CLIENT_SECRET \
--roles=user,admin \
--default-roles=user
See Server Configuration for all available flags including social logins, SMTP, roles, and more.
Step 3: Setup Hasura Instance
- Signup on https://cloud.hasura.io/
- Create a project
Step 4: Configure Database with Hasura Instance
-
Open the dashboard of Hasura cloud and navigate to your project
-
Click on
Launch Consoleon top right corner -
Go to
Datasection and connect to your databaseExample
Check the hasura docs for more information.
Note: If you have used one click deployment option for authorizer you can get database URL from respective platform's env sections.
Step 5: Configure JWT token with Hasura
-
Get the JWT type and secret from the
--jwt-typeand--jwt-secret(or--jwt-public-keyfor RS256/ES256) flags you used when starting the server -
Open the Hasura dashboard and navigate to your project
-
Open settings and go to
Env varssection -
Add the following env variable to configure the JWT token
HASURA_GRAPHQL_JWT_SECRET: {"type": <JWT_TYPE>, "key": <JWT_KEY>}Example
Note: In case of RSA and ECDSA JWT types only provide the public key in PEM encoded string format. Use the values from
--jwt-typeand--jwt-public-keyflags used when starting the server.
Check the hasura docs for more information.
Step 6: Configure JWT token Authorization Script
In order for Hasura to authorize a user, JWT token needs to have specific keys. You can add those keys by using the --custom-access-token-script flag when starting the server.
Example:
function(user,tokenPayload) {
var data = tokenPayload;
data['https://hasura.io/jwt/claims'] = {
'x-hasura-user-id': user.id,
'x-hasura-default-role': tokenPayload.allowed_roles[0],
'x-hasura-allowed-roles': user.roles
}
return data;
}
Once user login they will get a id_token in the response, this token should be used with Hasura queries as Authorization: Bearer ID_TOKEN. This will help in making Authorized requests.
You can configure access control for the various roles that your application needs from Hasura. Configure roles in Authorizer using the --roles, --default-roles, and --protected-roles flags.
For more information on access control check Hasura docs
You can also stitch Authorizer GraphQl Endpoint with Hasura Remote Schema, that way you can have single endpoint for all your GraphQL queries / mutations.