Granted Authorization GraphQL API
The Granted Authorization GraphQL API allows the query and mutation of granted authorizations, which represents the set of authorizations granted by a resource owner (e.g. a user) to an OAuth 2.0 client.
In the Curity Identity Server these authorizations are captured in the form of delegations (see Token Profile ) and stored by a Delegation Data Access Provider. A new delegation is created every time an access token is created based on a non-refresh grant, even if an equivalent delegation already exists. So a user may have multiple similar delegations for the same client.
In contrast, a granted authorization represents a unique aggregation of all delegations created for a given owner and client. Each granted authorization contains:
- A string identifying the delegation owner (e.g. the authenticated username on an OAuth 2.0 code flow).
- Information about the client to which the authorization was granted, including its unique identifier and name.
- The authorized scopes, computed as the union of all scopes granted by all matching delegations.
- The authorized claims, computed as the union of all claims granted by all matching delegations.
- A creation timestamp, corresponding to the lowest creation timestamp of all matching delegations.
- A last update timestamp, corresponding to the highest creation timestamp of all matching delegations.
By matching delegations we mean all non-revoked delegations with the given owner and client. Note also that granted authorizations are never stored and are always computed from the stored delegations.
Operations#
The Granted Authorization GraphQL API supports two categories of operations:
- Query operations allow you to retrieve granted authorizations by owner or by owner and client identifier. These operations give you visibility into which clients have been authorized by resource owners and what scopes and claims have been granted.
- Mutation operations enable you to revoke granted authorizations, either for all clients associated with an owner or for a specific owner-client pair. Revoking a granted authorization revokes all underlying delegations that match the criteria.
For detailed information about available queries and mutations, including performance considerations and limitations, see Granted Authorization GraphQL API Operations .
The Granted Authorization GraphQL API is self-documented. Check the GraphQL documentation for more information about using Curity’s GraphQL APIs and obtaining the full GraphQL schema.
Endpoint#
The Granted Authorization GraphQL API is exposed by Token Service endpoints with the oauth-granted-authorization-graphql-api kind.
Access Control#
For the Granted Authorization GraphQL API to be usable without the Curity DevOps Dashboard, it is necessary to configure an appropriate Authorization Manager in the relevant Token Service, implementing the desired authorization policy.
Not all Authorization Managers support GraphQL APIs. As of writing, the Groups Authorization Manager , Attribute Authorization Manager and Self-Service Authorization Manager have full support for the Granted Authorization GraphQL API.
All query operations are considered to be reads. All the revocation operations are considered to be deletes.
Licensing#
The Granted Authorization GraphQL API requires a license with the GraphQL feature, including the granted-authorization restriction.