Authorization with OpenID Connect

Authorization with OpenID Connect

We're extremely happy to announce that Grafbase supports OpenID Connect (OIDC).

Grafbase authorization with OIDC currently supports both signed-in user and group-based data access — learn more.

OIDC is an open authentication protocol that sits on top of the OAuth 2.0 framework. With our OIDC integration, users of your applications can take advantage of single sign-on without the need to write all of the code necessary to authenticate and authorize users manually.

Tokens provided by your identity provider (Clerk, Auth0, etc.) can include the desired properties which Grafbase will check to allow or deny access to data.

Enabling OIDC authorization is easy with the @auth directive inside of your schema. All you need is the issuer URL supplied by your identity provider.

To restrict access to your project for signed-in users only, you can configure this using the allow: private rule:

# grafbase/schema.graphql schema @auth( providers: [{ type: oidc, issuer: "YOUR_ISSUER_ENDPOINT" }] rules: [{ allow: private }] ) { query: Query }

With group-based authorization you can allow access based on the groups contained in a user token:

# grafbase/schema.graphql schema @auth( providers: [{ type: oidc, issuer: "YOUR_ISSUER_ENDPOINT" }] rules: [{ allow: groups, groups: ["backend", "admin"] }] ) { query: Query }

Access is granted based on JWTs sent in the header of requests made to your Grafbase backend.

These tokens contain all the data Grafbase needs in order to check if you are who you say you are and can do what you're requesting. These tokens when decoded look something like this:

{ "exp": 1659646197, "groups": ["admin"], "iat": 1659559797, "iss": "YOUR_ISSUER_ENDPOINT", "nbf": 1659559792, "sub": "user_12345" }

We'd love to hear your feedback and ideas, so join us on Discord.