Authentication Options:
Expose GraphQL via Azure APIM and allow APIM to connect to GraphQL using Sitecore API Key
Use Azure Active Directory B2C JWT Token
OAuth 2.0 Client Credential Grant Flow [Get direct authorization]
OAuth 2.0 Authorize Code Grant Flow[Get Auth Code- Using Auth Code Get Access-Token ]
Use Sitecore Identity Server JWT Token
Sitecore Authentication (cookie base)
1. Authentication
Why Option #1- Expose GraphQL via Azure APIM is preferred solution
Sitecore API Key will need to be created within Sitecore and enable GraphQL endpoints.
Expose sitecore graphQL end point via Azure APIM.
Consuming client will need to provide the Azure APIM subscription key as part of the request Authorization request header.
The APIM behind the scene will pass the sitecore API key to Sitecore graphQL server.
Each Sitecore API Key will have sitecore custom role assigned, which will enable us to implement content level authorization.
Can take advantage of security and request throttling features that APIM provides out of box.
2. Authorization
Sitecore out of box role based permission/authorization can be used to grant/deny access to specific part of sitecore content tree. High level steps:
Create a new sitecore role and assign the grant/deny access to sitecore content tree.
And assign this newly created role to the sitecore API key that we have created above as part of Authentication [Go to sitecore content tree-> Settings--> Services--> API Keys--> Any GraphQL item--> Under Item section Data-->In Impersonation user --> Enter Sitecore role created in pt1]
Deny Mutation (Create/Update/Delete) & Subscriptions
By default Mutation & Subscriptions are enabled on Sitecore.Services.GraphQL.Content.Config
In order to fix this either patch or create a new context aware graphQL end point and disable Mutation/Subscription
No comments:
Post a Comment