[Authorize] makes no difference

[intunio-johan]

Hi,

The documentation states

"If we do not specify any arguments to the @authorize directive, it will only enforce that the requestor is authenticated, nothing more. If he is not and tries to access an authorized field, a GraphQL error will be raised and the field result set to null."

I think this implies that an unauthenticated user would be able to access fields that don't have the [Authorized] attribute, but this doesn't work. Even if I don't add [Authorized] to my types or fields, I get AUTH_NOT_AUTHENTICATED for any request.

So what does an empty [Authorized] attribute really do? It doesn't seem to make any difference.

[liam-russell]

It sounds like you've enabled global authorisation:
https://chillicream.com/docs/hotchocolate/v12/security/authorization/#global-authorization

In that case an Authorized attribute won't do anything, as everything is already requiring authorization. You can still use the Authorized attribute to restrict further access by policies or roles.