duplicate permissions check note
This commit is contained in:
Anatol Ulrich
parent
b27452eb98
commit
9cadb5e1b4
10
README.md
10
README.md
@ -27,8 +27,10 @@ see `schema.py` and [Strawberry GraphQL documentation](https://strawberry.rocks/
|
|||||||
|
|
||||||
### Attribute based permissions
|
### Attribute based permissions
|
||||||
|
|
||||||
Assuming a zero trust deployment, the requesting user must have the correct claims to execute an operation -
|
Assuming a zero trust deployment, the requesting user must
|
||||||
to disable this during development (or if you operate the service in a trusted enviroment), remove the `permission_classes` parameter in all operations defined in `schema.py`.
|
have the correct claims to execute an operation -
|
||||||
|
to disable this during development (or if you operate the service in a trusted enviroment),
|
||||||
|
remove the `permission_classes` parameter in all operations defined in `schema.py`.
|
||||||
|
|
||||||
These permissions must be a list stored in the access token under the key `config.AUTH_PERMISSIONS_KEY`,
|
These permissions must be a list stored in the access token under the key `config.AUTH_PERMISSIONS_KEY`,
|
||||||
its values prefixed with `config.AUTH_OLS_PREFIX`. For example:
|
its values prefixed with `config.AUTH_OLS_PREFIX`. For example:
|
||||||
@ -39,6 +41,10 @@ claims = {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Strictly speaking this duplicates the permissions check already done by the broker,
|
||||||
|
and thus requests without required permissions don't even reach the microservice -
|
||||||
|
they've been rejected at the broker level.
|
||||||
|
|
||||||
### JWT signature algorithm
|
### JWT signature algorithm
|
||||||
|
|
||||||
For security reasons the JWT signature algorithm must be a member of
|
For security reasons the JWT signature algorithm must be a member of
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user