@Ashera Silva <ash...@wso2.com> , noticed that this thread is private. We need to discuss this on @Architecture List <architecture@wso2.org> so that we can get wider feedback from the community.
Might be a good idea to link to this[1] as well. There was a lot of interest shown by the community regarding this so we can get feedback from them as well. [1] https://github.com/wso2/product-apim/issues/3184 On Mon, 4 Nov 2019 at 11:56, Sanjeewa Malalgoda <sanje...@wso2.com> wrote: > I feel its good to define policies outside API definition and link them > with scopes. It will work in JWT and OAuth scenarios without issue. However > when it comes to basic auth there will be small issue as no direct scope > information comes from that. But we can check resource scopes(roles) and > cross check them with user roles. Then if role matching worked then > consider scopes to retrieve policies for graphQL. Main reason behind this > is usually roles reside outside API Management system. If we are to define > something global for all resources within API then we can have something > like API level scope which is attribute of API. Then we can pass that to > handler while publishing API. Thoughts? > > Thanks, > sanjeewa. > > On Fri, Nov 1, 2019 at 5:31 PM Ashera Silva <ash...@wso2.com> wrote: > >> Hi all, >> >> My project is to add fine-grained access control to GraphQL APIs. After >> the initial project discussion, the main features suggested for the static >> query analysis part is: >> 1. query depth limitation >> 2. query complexity limitation >> >> When considering the "query depth limitation", my implementation so far >> provides a maximum query depth value. When the query from the GraphQL >> request exceeds this limit, the query is blocked, thereby malicious queries >> can be identified before they hit the GraphQL server. But this value is >> common for all users. This is not fair, as different roles should be given >> different limitations. The suggestion that is proposed is to give a >> role-specific maximum depth limitation. >> >> Please refer to the google doc attached herewith for reference in detail. >> >> https://docs.google.com/document/d/1lsO-c9ajHs7Ru3bjApLUwrJNv4eaVZ-yVJUZNMG-ADU/edit?usp=sharing >> >> Your feedback with this regard is highly appreciated. >> >> -- >> *Ashera Silva* | Engineering - Intern | WSO2 Inc. >> Mobile : +94702547925 | Email : ash...@wso2.com >> >> [image: http://wso2.com/signature] <http://wso2.com/signature> >> > > > -- > *Sanjeewa Malalgoda* > Software Architect | Associate Director, Engineering - WSO2 Inc. > (m) +94 712933253 | (e) sanje...@wso2.com | (b) Blogger > <http://sanjeewamalalgoda.blogspot.com>, Medium > <https://medium.com/@sanjeewa190> > > GET INTEGRATION AGILE <https://wso2.com/signature> > Integration Agility for Digitally Driven Business > -- Regards, Uvindra Mobile: 777733962
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture