duplicate permissions check note
This commit is contained in:
parent
b27452eb98
commit
9cadb5e1b4
10
README.md
10
README.md
@ -27,8 +27,10 @@ see `schema.py` and [Strawberry GraphQL documentation](https://strawberry.rocks/
|
||||
|
||||
### Attribute based permissions
|
||||
|
||||
Assuming a zero trust deployment, the requesting user must have the correct claims to execute an operation -
|
||||
to disable this during development (or if you operate the service in a trusted enviroment), remove the `permission_classes` parameter in all operations defined in `schema.py`.
|
||||
Assuming a zero trust deployment, the requesting user must
|
||||
have the correct claims to execute an operation -
|
||||
to disable this during development (or if you operate the service in a trusted enviroment),
|
||||
remove the `permission_classes` parameter in all operations defined in `schema.py`.
|
||||
|
||||
These permissions must be a list stored in the access token under the key `config.AUTH_PERMISSIONS_KEY`,
|
||||
its values prefixed with `config.AUTH_OLS_PREFIX`. For example:
|
||||
@ -39,6 +41,10 @@ claims = {
|
||||
}
|
||||
```
|
||||
|
||||
Strictly speaking this duplicates the permissions check already done by the broker,
|
||||
and thus requests without required permissions don't even reach the microservice -
|
||||
they've been rejected at the broker level.
|
||||
|
||||
### JWT signature algorithm
|
||||
|
||||
For security reasons the JWT signature algorithm must be a member of
|
||||
|
Loading…
Reference in New Issue
Block a user