Added authorization docs (#3830)

Author: tobias-tengler

website/src/docs/docs.json

@@ -190,6 +190,24 @@
               }
             ]
           },
+          {
+            "path": "security",
+            "title": "Security",
+            "items": [
+              {
+                "path": "index",
+                "title": "Overview"
+              },
+              {
+                "path": "authentication",
+                "title": "Authentication"
+              },
+              {
+                "path": "authorization",
+                "title": "Authorization"
+              }
+            ]
+          },
           {
             "path": "api-reference",
             "title": "API Reference",

website/src/docs/hotchocolate/security/authentication.md

@@ -0,0 +1,173 @@
+---
+title: Authentication
+---
+
+import { ExampleTabs } from "../../../components/mdx/example-tabs"
+
+Authentication allows us to determine a user's identity. This is of course a prerequisite for authorization, but it also allows us to access the authenticated user in our resolvers. This is useful, if we for example want to build a `me` field that fetches details about the authenticated user.
+
+Hot Chocolate fully embraces the authentication capabilities of ASP.NET Core, making it easy to reuse existing authentication configuration and integrating a variety of authentication providers.
+
+[Learn more about authentication in ASP.NET Core](https://docs.microsoft.com/aspnet/core/security/authentication)
+
+# Setup
+
+Setting up authentication is largely the same as in any other ASP.NET Core application.
+
+**In the following example we are using JWTs, but we could use any other authentication scheme supported by ASP.NET Core.**
+
+1. Install the `Microsoft.AspNetCore.Authentication.JwtBearer` package
+
+```bash
+dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer
+```
+
+2. Register the JWT authentication scheme
+
+```csharp
+public class Startup
+{
+    public void ConfigureServices(IServiceCollection services)
+    {
+        var signingKey = new SymmetricSecurityKey(
+            Encoding.UTF8.GetBytes("MySuperSecretKey"));
+
+        services
+            .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+            .AddJwtBearer(options =>
+            {
+                options.TokenValidationParameters =
+                    new TokenValidationParameters
+                    {
+                        ValidIssuer = "https://auth.chillicream.com",
+                        ValidAudience = "https://graphql.chillicream.com",
+                        ValidateIssuerSigningKey = true,
+                        IssuerSigningKey = signingKey
+                    };
+            });
+    }
+}
+```
+
+> ⚠️ Note: This is an example configuration that's not intended for use in a real world application.
+
+3. Register the ASP.NET Core authentication middleware with the request pipeline by calling `UseAuthentication`
+
+```csharp
+public class Startup
+{
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseRouting();
+
+        app.UseAuthentication();
+
+        app.UseEndpoints(endpoints =>
+        {
+            endpoints.MapGraphQL();
+        });
+    }
+}
+```
+
+The above takes care of parsing and validating an incoming HTTP request.
+
+In order to make the authentication result available to our resolvers, we need to complete some additional, Hot Chocolate specific steps.
+
+1. Install the `HotChocolate.AspNetCore.Authorization` package
+
+```bash
+dotnet add package HotChocolate.AspNetCore.Authorization
+```
+
+2. Call `AddAuthorization()` on the `IRequestExecutorBuilder`
+
+```csharp
+services
+    .AddGraphQLServer()
+    .AddAuthorization()
+    .AddQueryType<Query>();
+```
+
+All of this does not yet lock out unauthenticated users. It only exposes the identity of the authenticated user to our application through a `ClaimsPrincipal`. If we want to prevent certain users from querying our graph, we need to utilize authorization.
+
+[Learn more about authorization](/docs/hotchocolate/security/authorization)
+
+# Accessing the ClaimsPrincipal
+
+The [ClaimsPrincipal](https://docs.microsoft.com/dotnet/api/system.security.claims.claimsprincipal) of an authenticated user can be accessed in our resolvers like the following.
+
+<ExampleTabs>
+<ExampleTabs.Annotation>
+
+```csharp
+public class Query
+{
+    public User GetMe(ClaimsPrincipal claimsPrincipal)
+    {
+        // Omitted code for brevity
+    }
+
+    // before v11.3.1
+    public User GetMeLegacy(
+        [GlobalState(nameof(ClaimsPrincipal))] ClaimsPrincipal claimsPrincipal)
+    {
+        // Omitted code for brevity
+    }
+}
+```
+
+</ExampleTabs.Annotation>
+<ExampleTabs.Code>
+
+```csharp
+public class QueryType : ObjectType
+{
+    protected override void Configure(IObjectTypeDescriptor descriptor)
+    {
+        descriptor
+            .Field("me")
+            .Resolve(context =>
+            {
+                var claimsPrincipal = context.GetUser();
+                // before v11.3.1
+                var claimsPrincipal = context.GetGlobalValue<ClaimsPrincipal>(
+                                        nameof(ClaimsPrincipal));
+
+                // Omitted code for brevity
+            });
+    }
+}
+```
+
+</ExampleTabs.Code>
+<ExampleTabs.Schema>
+
+```csharp
+services
+    .AddGraphQLServer()
+    .AddDocumentFromString(@"
+        type Query {
+          me: User
+          meLegacy: User
+        }
+    ")
+    .AddResolver("Query", "me", (context) =>
+    {
+        var claimsPrincipal = context.GetUser();
+        // before v11.3.1
+        var claimsPrincipal = context.GetGlobalValue<ClaimsPrincipal>(
+                                        nameof(ClaimsPrincipal));
+
+        // Omitted code for brevity
+    })
+```
+
+</ExampleTabs.Schema>
+</ExampleTabs>
+
+With the authenticated user's `ClaimsPrincipal`, we can now access their claims.
+
+```csharp
+var userId = claimsPrincipal.FindFirstValue(ClaimTypes.NameIdentifier);
+```

website/src/docs/hotchocolate/security/authorization.md

@@ -0,0 +1,376 @@
+---
+title: Authorization
+---
+
+import { ExampleTabs } from "../../../components/mdx/example-tabs"
+
+Authorization allows us to determine a user's permissions within our system. We can for example limit access to resources or only allow certain users to execute specific mutations.
+
+Authentication is a prerequisite of Authorization, as we first need to validate a user's "authenticity" before we can evaluate his authorization claims.
+
+[Learn how to setup authentication](/docs/hotchocolate/security/authentication)
+
+# Setup
+
+After we have successfully setup authentication, there are only a few things left to do.
+
+1. Register the necessary ASP.NET Core services
+
+```csharp
+public class Startup
+{
+    public void ConfigureServices(IServiceCollection services)
+    {
+        services.AddAuthorization();
+
+        // Omitted code for brevity
+
+        services
+            .AddGraphQLServer()
+            .AddAuthorization()
+            .AddQueryType<Query>();
+    }
+}
+```
+
+> ⚠️ Note: We need to call `AddAuthorization()` on the `IServiceCollection`, to register the services needed by ASP.NET Core, and on the `IRequestExecutorBuilder` to register the `@authorize` directive and middleware.
+
+2. Register the ASP.NET Core authorization middleware with the request pipeline by calling `UseAuthorization`
+
+```csharp
+public class Startup
+{
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseRouting();
+
+        app.UseAuthentication();
+        app.UseAuthorization();
+
+        app.UseEndpoints(endpoints =>
+        {
+            endpoints.MapGraphQL();
+        });
+    }
+}
+```
+
+# Usage
+
+At the core of authorization with Hot Chocolate is the `@authorize` directive. It can be applied to fields and types to denote that they require authorization.
+
+<ExampleTabs>
+<ExampleTabs.Annotation>
+
+In the Annotation-based approach we can use the `[Authorize]` attribute to add the `@authorize` directive.
+
+```csharp
+[Authorize]
+public class User
+{
+    public string Name { get; set; }
+
+    [Authorize]
+    public Address Address { get; set; }
+}
+```
+
+> ⚠️ Note: We need to use the `HotChocolate.AspNetCore.AuthorizationAttribute` instead of the `Microsoft.AspNetCore.AuthorizationAttribute`.
+
+</ExampleTabs.Annotation>
+<ExampleTabs.Code>
+
+```csharp
+public class UserType : ObjectType<User>
+{
+    protected override void Configure(IObjectTypeDescriptor<User> descriptor)
+    {
+        descriptor.Authorize();
+
+        descriptor.Field(f => f.Address).Authorize();
+    }
+}
+```
+
+</ExampleTabs.Code>
+<ExampleTabs.Schema>
+
+```sdl
+type User @authorize {
+  name: String!
+  address: Address! @authorize
+}
+```
+
+</ExampleTabs.Schema>
+</ExampleTabs>
+
+Specified on a type the `@authorize` directive will be applied to each field of that type. Its authorization logic is executed once for each individual field, depending on whether it was selected by the requestor or not. If the directive is placed on an individual field, it overrules the one on the type.
+
+If we do not specify any arguments to the `@authorize` directive, it will only enforce that the requestor is authenticated, nothing more. If he is not and tries to access an authorized field, a GraphQL error will be raised and the field result set to `null`.
+
+## Roles
+
+Roles provide a very intuitive way of dividing our users into groups with different access rights.
+
+When building our `ClaimsPrincipal`, we just have to add one or more role claims.
+
+```csharp
+claims.Add(new Claim(ClaimTypes.Role, "Administrator"));
+```
+
+We can then check whether an authenticated user has these role claims.
+
+<ExampleTabs>
+<ExampleTabs.Annotation>
+
+```csharp
+[Authorize(Roles = new [] { "Guest", "Administrator" })]
+public class User
+{
+    public string Name { get; set; }
+
+    [Authorize(Roles = new[] { "Administrator" })]
+    public Address Address { get; set; }
+}
+```
+
+</ExampleTabs.Annotation>
+<ExampleTabs.Code>
+
+```csharp
+public class UserType : ObjectType<User>
+{
+    protected override Configure(IObjectTypeDescriptor<User> descriptor)
+    {
+        descriptor.Authorize(new[] { "Guest", "Administrator" });
+
+        descriptor.Field(t => t.Address).Authorize(new[] { "Administrator" });
+    }
+}
+```
+
+</ExampleTabs.Code>
+<ExampleTabs.Schema>
+
+```sdl
+type User @authorize(roles: [ "Guest", "Administrator" ]) {
+  name: String!
+  address: Address! @authorize(roles: "Administrator")
+}
+```
+
+</ExampleTabs.Schema>
+</ExampleTabs>
+
+> ⚠️ Note: If multiple roles are specified, a user only has to match one of the specified roles, in order to be able to execute the resolver.
+
+[Learn more about role-based authorization in ASP.NET Core](https://docs.microsoft.com/aspnet/core/security/authorization/roles)
+
+## Policies
+
+Policies allow us to create richer validation logic and decouple the authorization rules from our GraphQL resolvers.
+
+A policy consists of an [IAuthorizationRequirement](https://docs.microsoft.com/aspnet/core/security/authorization/policies#requirements) and an [AuthorizationHandler&#x3C;T&#x3E;](https://docs.microsoft.com/aspnet/core/security/authorization/policies#authorization-handlers).
+
+Once defined, we can register our policies like the following.
+
+```csharp
+public class Startup
+{
+    public void ConfigureServices(IServiceCollection services)
+    {
+        services.AddAuthorization(options =>
+        {
+            options.AddPolicy("AtLeast21", policy =>
+                policy.Requirements.Add(new MinimumAgeRequirement(21)));
+
+            options.AddPolicy("HasCountry", policy =>
+                policy.RequireAssertion(context =>
+                    context.User.HasClaim(c => c.Type == ClaimTypes.Country)));
+        });
+
+        services.AddSingleton<IAuthorizationHandler, MinimumAgeHandler>();
+
+        // Omitted code for brevity
+
+        services
+            .AddGraphQLServer()
+            .AddAuthorization()
+            .AddQueryType<Query>();
+    }
+}
+```
+
+We can then use these policies to restrict access to our fields.
+
+<ExampleTabs>
+<ExampleTabs.Annotation>
+
+```csharp
+[Authorize(Policy = "AllEmployees")]
+public class User
+{
+    public string Name { get; }
+
+    [Authorize(Policy = "SalesDepartment")]
+    public Address Address { get; }
+}
+```
+
+</ExampleTabs.Annotation>
+<ExampleTabs.Code>
+
+```csharp
+public class UserType : ObjectType<User>
+{
+    protected override Configure(IObjectTypeDescriptor<User> descriptor)
+    {
+        descriptor.Authorize("AllEmployees");
+
+        descriptor.Field(t => t.Address).Authorize("SalesDepartment");
+    }
+}
+```
+
+</ExampleTabs.Code>
+<ExampleTabs.Schema>
+
+```sdl
+type User @authorize(policy: "AllEmployees") {
+  name: String!
+  address: Address! @authorize(policy: "SalesDepartment")
+}
+```
+
+</ExampleTabs.Schema>
+</ExampleTabs>
+
+This essentially uses the provided policy and runs it against the `ClaimsPrinciple` that is associated with the current request.
+
+The `@authorize` directive is also repeatable, which means that we are able to chain the directive and a user is only allowed to access the field if they meet all of the specified conditions.
+
+<ExampleTabs>
+<ExampleTabs.Annotation>
+
+```csharp
+[Authorize(Policy = "AtLeast21")]
+[Authorize(Policy = "HasCountry")]
+public class User
+{
+    public string Name { get; set; }
+}
+```
+
+</ExampleTabs.Annotation>
+<ExampleTabs.Code>
+
+```csharp
+public class UserType : ObjectType<User>
+{
+    protected override Configure(IObjectTypeDescriptor<User> descriptor)
+    {
+        descriptor
+            .Authorize("AtLeast21")
+            .Authorize("HasCountry");
+    }
+}
+```
+
+</ExampleTabs.Code>
+<ExampleTabs.Schema>
+
+```sdl
+type User
+	@authorize(policy: "AtLeast21")
+	@authorize(policy: "HasCountry") {
+	name: String!
+}
+```
+
+</ExampleTabs.Schema>
+</ExampleTabs>
+
+[Learn more about policy-based authorization in ASP.NET Core](https://docs.microsoft.com/aspnet/core/security/authorization/policies)
+
+### IResolverContext within an AuthorizationHandler
+
+If we need to, we can also access the `IResolverContext` in our `AuthorizationHandler`.
+
+```csharp
+public class MinimumAgeHandler
+    : AuthorizationHandler<MinimumAgeRequirement, IResolverContext>
+{
+    protected override Task HandleRequirementAsync(
+        AuthorizationHandlerContext context,
+        MinimumAgeRequirement requirement,
+        IResolverContext resolverContext)
+    {
+        // Omitted code for brevity
+    }
+}
+```
+
+# Global authorization
+
+We can also apply authorization to our entire GraphQL endpoint. To do this, simply call `RequireAuthorization()` on the `GraphQLEndpointConventionBuilder`.
+
+```csharp
+public class Startup
+{
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
+    {
+        app.UseRouting();
+
+        app.UseAuthentication();
+        app.UseAuthorization();
+
+        app.UseEndpoints(endpoints =>
+        {
+            endpoints.MapGraphQL().RequireAuthorization();
+        });
+    }
+}
+```
+
+> ⚠️ Note: This will also block unauthenticated access to GraphQL IDEs hosted on that endpoint, like Banana Cake Pop.
+
+This method also accepts [roles](#roles) and [policies](#policies) as arguments, similiar to the `Authorize` attribute / methods.
+
+# Modifying the ClaimsPrincipal
+
+Sometimes we might want to add additional [ClaimsIdentity](https://docs.microsoft.com/dotnet/api/system.security.claims.claimsidentity) to our `ClaimsPrincipal` or modify the default identity.
+
+Hot Chocolate provides the ability to register an `IHttpRequestInterceptor`, allowing us to modify the incoming HTTP request, before it is passed along to the execution engine.
+
+```csharp
+public class HttpRequestInterceptor : DefaultHttpRequestInterceptor
+{
+    public override ValueTask OnCreateAsync(HttpContext context,
+        IRequestExecutor requestExecutor, IQueryRequestBuilder requestBuilder,
+        CancellationToken cancellationToken)
+    {
+        var identity = new ClaimsIdentity();
+        identity.AddClaim(new Claim(ClaimTypes.Country, "us"));
+
+        context.User.AddIdentity(identity);
+
+        return base.OnCreateAsync(context, requestExecutor, requestBuilder,
+            cancellationToken);
+    }
+}
+
+public class Startup
+{
+    public void ConfigureServices(IServiceCollection services)
+    {
+        services
+            .AddGraphQLServer()
+            .AddHttpRequestInterceptor<HttpRequestInterceptor>();
+
+        // Omitted code for brevity
+    }
+}
+```
+
+The `IHttpRequestInterceptor` can be used for many other things as well, not just for modifying the `ClaimsPrincipal`.

website/src/docs/hotchocolate/security/index.md

@@ -0,0 +1,23 @@
+---
+title: "Overview"
+---
+
+In this section we will learn how to secure our GraphQL endpoint.
+
+# Authentication
+
+Authentication in Hot Chocolate is built around the official authentication mechanisms in ASP.NET Core, allowing us to fully embrace their customizability and variety of authentication providers.
+
+[Learn more about authentication](/docs/hotchocolate/security/authentication)
+
+# Authorization
+
+Authorization is one of the most basic security concepts. It builds on top of authentication and allows us to restrict access to types and fields, based on whether a user is authenticated, assigned specific roles or satisfies one or more policies. Hot Chocolate closely matches and nicely integrates with the official ASP.NET Core authorization APIs.
+
+[Learn more about authorization](/docs/hotchocolate/security/authorization)
+
+<!-- # Persisted Queries
+
+Depending on our setup and requirements, the simplest way to make our server secure and control the request impact is to use persisted queries. With this approach, we can export the request from our client applications at development time and only allow the set of known queries to be executed in our production environment.
+
+[Learn more about persisted queries](/docs/hotchocolate/performance/persisted-queries) -->