graphql-engine icon indicating copy to clipboard operation
graphql-engine copied to clipboard

Published 20 hours ago verified publisher icon hasura

Allow "Bearer" JWT in HASURA_GRAPHQL_JWT_SECRET CustomHeader

Open OliverSo opened this issue 2 years ago • 2 comments

Is your proposal related to a problem?

Yes. I'm in the process of setting up JWT authentication for my hasura instance and i want to expose the GraphQL- and REST-endpoints through a Google ESPV2 API Gateway.

The ESPV2 expects a "Bearer" JWT token, which it will validate before propagating the request to the hasura endpoint. ESPv2 then sends the following headers to hasura:

  • authorization (a new JWT created by ESPV2 that is unrelated to the original JWT)
  • x-forwarded-authorization (the complete original authorization starting with Bearer)
  • x-endpoint-api-userinfo (only the payload part of the JWT, which is not accepted by hasura as it expects a JWT header as well)

When using a CustomHeader in HASURA_GRAPHQL_JWT_SECRET, i set the name to x-forwarded-authorization.

{"type": "RS256", "header": { "type": "CustomHeader", "name": "x-forwarded-authorization"}, "jwk_url": "https://auth.test.com/.well-known/jwks"}

I'm now facing the issue, that hasura ONLY accepts the token without the Bearer scheme in case of the CustomHeader type.

Error (with Bearer):

Schema introspection query failed:
Could not verify JWT: JWSError (JSONDecodeError "Not valid base64url")

Describe the solution you'd like

It would be great if hasura either accepted a Bearer JWT token on CustomHeader types or i could specify a scheme like

{"type": "RS256", "header": { "type": "CustomHeader", "scheme": "Bearer", "name": "x-forwarded-authorization"}, "jwk_url": "https://auth.test.com/.well-known/jwks"}

Describe alternatives you've considered

I was trying to use the x-endpoint-api-userinfo header as described above, but hasura can not validate it since it's missing the headers. Error:

Schema introspection query failed:
Could not verify JWT: JWSError (CompactDecodeError Invalid number of parts: Expected 3 parts; got 1)

OliverSo avatar Oct 20 '23 12:10 OliverSo

I agree that it makes sense to add scheme customization to CustomHeader. We will add it to our backlog but it may take a couple of weeks to prioritize this.

tirumaraiselvan avatar Nov 07 '23 05:11 tirumaraiselvan

I agree that it makes sense to add scheme customization to CustomHeader. We will add it to our backlog but it may take a couple of weeks to prioritize this.

@tirumaraiselvan may I ask for any updates on this? This has become a real blocker for us. I'd appreciate a short feedback on the timeline. Thanks!

OliverSo avatar Feb 06 '24 19:02 OliverSo