[Authorize] makes no difference #5571
Unanswered
intunio-johan
asked this question in
Q&A
Replies: 1 comment
-
|
It sounds like you've enabled global authorisation: In that case an Authorized attribute won't do anything, as everything is already requiring authorization. You can still use the Authorized attribute to restrict further access by policies or roles. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
The documentation states
"If we do not specify any arguments to the @authorize directive, it will only enforce that the requestor is authenticated, nothing more. If he is not and tries to access an authorized field, a GraphQL error will be raised and the field result set to null."
I think this implies that an unauthenticated user would be able to access fields that don't have the [Authorized] attribute, but this doesn't work. Even if I don't add [Authorized] to my types or fields, I get AUTH_NOT_AUTHENTICATED for any request.
So what does an empty [Authorized] attribute really do? It doesn't seem to make any difference.
Beta Was this translation helpful? Give feedback.
All reactions