FYI @gklijs, this works:

(def roles-interceptor
  {:enter (fn [context]
    (assoc-in context [:request :lacinia-app-context :custom-role-key] :some-value})

(defn- inject-roles-interceptor
  [interceptors]
  (pedestal/inject interceptors
                   jwt/roles-interceptor
                   :after
                   ::pedestal/inject-app-context))

Thanks to the help of @nenadalm

Thanks, not sure I get to it, but would like to have a more proper example on authenticating graphql for the GraphQL Summit talk.

Ah we authenticate using Keycloak and Keycloak Gatekeeper

Sidecar container in Kubernetes 🙂

And then Keycloak provides the JWT

Like this

So both the frontend and backend run this Keycloak Gatekeeper sidecar container

And then it just works 🙂

User is redirected to Keycloak login screen and when logged in the cookies are shared between frontend and backend

So because the frontend session is valid (logged in user) the request reaches the backend

With the right cookies

And then you add a little roles-interceptor and the information regarding the roles is available in the resolvers

Then you can determine there what data the user is allowed to query

Sounds easy enough, thanks

🙂

We use plain old cookies for Authentication, an interceptor added before lacinia allows or rejects requests at the http level -- then we have the user available in the resolver to do fine-grained authorization.