2020-07-08 00:47:42 +03:00
.. meta ::
2021-03-17 20:26:28 +03:00
:description: Bypassing auth in your remote schema with Hasura
:keywords: hasura, docs, remote schema, authorization, bypass
2020-07-08 00:47:42 +03:00
2021-03-17 20:26:28 +03:00
.. _remote_schema_bypass_auth:
2020-07-08 00:47:42 +03:00
2021-03-17 20:26:28 +03:00
Bypassing Hasura's auth for remote schemas
2020-07-08 00:47:42 +03:00
==========================================
.. contents :: Table of contents
:backlinks: none
2021-03-17 20:26:28 +03:00
:depth: 1
2020-07-08 00:47:42 +03:00
:local:
Introduction
------------
2021-03-17 20:26:28 +03:00
It might be necessary sometimes to bypass Hasura's authentication system (calling
2020-07-08 00:47:42 +03:00
the configured webhook, or validating the JWT), for requests that are for a
remote GraphQL server.
**For example** , you have a remote GraphQL server which does authentication,
i.e. signup and login, and you have added it as a remote schema. In this case,
you would not want to perform Hasura's authorization when the user is making a
login/signup request.
There is no first-class option to currently do this via any configuration in
Hasura. However a similar solution can be achieved by the following workarounds:
2021-03-17 20:26:28 +03:00
Bypassing webhook authentication
--------------------------------
2020-07-08 00:47:42 +03:00
If you have a :ref: `webhook authorization setup <auth_webhooks>` , in the normal scenario, your authorization
webhook would return `` 200 `` on success and `` 401 `` if it is either unable to authorize the current request or if
the authorization information is absent (like cookie, authorization header etc.)
To bypass the webhook auth:
- the webhook should respond with `` 200 `` and `` x-hasura-role: anonymous `` instead of a `` 401 `` when the
authorization information is absent or if it fails to resolve the authorization information.
- when adding the remote schema, check the `` Forward all headers from client `` option so that the remote server
will get the relevant cookie/header (from the client) and the role `` anonymous `` .
2021-03-17 20:26:28 +03:00
Bypassing JWT authentication
----------------------------
2020-07-08 00:47:42 +03:00
If you have a :ref: `JWT authorization setup <auth_jwt>` , to bypass the JWT auth:
- your authentication server should generate a static JWT token for `` anonymous `` i.e. unauthenticated users.
- when adding the remote schema, check the `` Forward all headers from client `` option so that the remote server
will get the JWT (from the client).
For example, the generated JWT can be:
.. code-block :: json
{
"sub": "0000000000",
"iat": 1516239022,
"role": "anonymous",
"https://hasura.io/jwt/claims": {
"x-hasura-allowed-roles": ["anonymous"],
"x-hasura-default-role": "anonymous"
}
}
Hasura will get this JWT and successfully validate it. When your remote server receives this JWT, it should
specifically validate the JWT and, for example, check for the `` role `` key in the JWT. If it is set to `` anonymous `` ,
then it should consider the request as unauthenticated.
2021-03-09 11:36:02 +03:00
.. admonition :: Additional Resources
Data Federation with Hasura - `Watch Webinar <https://hasura.io/events/webinar/data-federation-hasura-graphql/?pg=docs&plcmt=body&cta=watch-webinar&tech=> `__ .