mirror of
https://github.com/hasura/graphql-engine.git
synced 2024-12-15 01:12:56 +03:00
fix grammar in docs (#3065)
This commit is contained in:
Shivam175
Shahidh K Muhammed
parent
251f861787
commit
aa6947a608
@ -22,7 +22,7 @@ Authentication options
|
||||
Hasura supports two modes of authentication configuration:
|
||||
|
||||
1) **Webhook**: Your auth server exposes a webhook that is used to authenticate all incoming requests
|
||||
to the Hasura GraphQL engine server and to get metadata about the request to evaluate access control
|
||||
to the Hasura GraphQL engine server and to get metadata about the request, to evaluate access control
|
||||
rules. Here's how a GraphQL request is processed in webhook mode:
|
||||
|
||||
.. thumbnail:: ../../../../img/graphql/manual/auth/auth-webhook-overview.png
|
||||
|
||||
@ -12,7 +12,7 @@ Introduction
|
||||
You can configure the GraphQL engine to use JWT authorization mode to authorize all incoming requests to the Hasura GraphQL engine server.
|
||||
|
||||
The idea is that your auth server will return JWT tokens, which are decoded and
|
||||
verified by the GraphQL engine to authorize and get metadata about the request
|
||||
verified by the GraphQL engine, to authorize and get metadata about the request
|
||||
(``x-hasura-*`` values).
|
||||
|
||||
|
||||
@ -53,9 +53,9 @@ When your auth server generates the JWT, the custom claims in the JWT **must con
|
||||
the following:
|
||||
|
||||
1. A ``x-hasura-default-role`` field : indicating the default role of that user i.e. the role that will be
|
||||
used in case ``x-hasura-role`` header is not passed
|
||||
used in case ``x-hasura-role`` header is not passed.
|
||||
2. A ``x-hasura-allowed-roles`` field : a list of allowed roles for the user i.e. acceptable values of the
|
||||
``x-hasura-role`` header
|
||||
``x-hasura-role`` header.
|
||||
|
||||
The claims in the JWT can have other ``x-hasura-*`` fields where their values
|
||||
can only be strings. You can use these ``x-hasura-*`` fields in your
|
||||
@ -159,7 +159,7 @@ JWTs). The URL **must** publish the JWKs in the standard format as described in
|
||||
https://tools.ietf.org/html/rfc7517.
|
||||
|
||||
This is an optional field. You can also provide the key (certificate, PEM
|
||||
encoded public key) as string as well - under the ``key`` field.
|
||||
encoded public key) as a string - under the ``key`` field.
|
||||
|
||||
**Rotating JWKs**:
|
||||
|
||||
@ -177,7 +177,7 @@ JWKs are not refreshed.
|
||||
|
||||
``claims_namespace``
|
||||
^^^^^^^^^^^^^^^^^^^^
|
||||
This is an optional field. You can specify the key name
|
||||
This is an optional field. You can specify the key name,
|
||||
inside which the Hasura specific claims will be present, e.g. ``https://mydomain.com/claims``.
|
||||
|
||||
**Default value** is: ``https://hasura.io/jwt/claims``.
|
||||
@ -191,8 +191,8 @@ This is an optional field, with only the following possible values:
|
||||
|
||||
Default is ``json``.
|
||||
|
||||
This is to indicate that if the Hasura specific claims are a regular JSON object
|
||||
or stringified JSON.
|
||||
This is to indicate whether the Hasura specific claims are a regular JSON object
|
||||
or a stringified JSON.
|
||||
|
||||
This is required because providers like AWS Cognito only allow strings in the
|
||||
JWT claims. `See #1176 <https://github.com/hasura/graphql-engine/issues/1176>`_.
|
||||
@ -272,8 +272,8 @@ or
|
||||
the ``aud`` claim from the JWT is also checked during verification. Not doing
|
||||
this check will allow JWTs issued for other tenants to be valid as well.
|
||||
|
||||
In these cases, you **MUST** set the ``audience`` field to appropriate value.
|
||||
Failing to do is a major security vulnerability.
|
||||
In these cases, you **MUST** set the ``audience`` field to the appropriate value.
|
||||
Failing to do so is a major security vulnerability.
|
||||
|
||||
|
||||
``issuer``
|
||||
@ -323,7 +323,7 @@ The ``key`` is the actual shared secret, which is used by Hasura and the externa
|
||||
RSA based
|
||||
+++++++++
|
||||
If your auth server is using RSA to sign JWTs, and is using a 512-bit key,
|
||||
the JWT config needs to have the only the public key.
|
||||
the JWT config only needs to have the public key.
|
||||
|
||||
**Example 1**: public key in PEM format (not OpenSSH format):
|
||||
|
||||
@ -387,7 +387,7 @@ Setting audience check
|
||||
^^^^^^^^^^^^^^^^^^^^^^
|
||||
Certain JWT providers share JWKs between multiple tenants (like Firebase). They use the ``aud`` claim of JWT to specify the intended tenant for the JWT. Setting the ``audience`` field in the Hasura JWT configuration will make sure that the ``aud`` claim from the JWT is also checked during verification. Not doing this check will allow JWTs issued for other tenants to be valid as well.
|
||||
|
||||
In these cases, you **MUST** set the ``audience`` field to appropriate value. Failing to do is a major security vulnerability.
|
||||
In these cases, you **MUST** set the ``audience`` field to appropriate value. Failing to do so is a major security vulnerability.
|
||||
|
||||
|
||||
Popular providers and known issues
|
||||
|
||||
Loading…
Reference in New Issue
Block a user