mirror of
https://github.com/hasura/graphql-engine.git
synced 2024-08-16 06:00:34 +03:00
docs: document known issue of invalid JWT padding by AWS Cognito + ELB
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/10919 GitOrigin-RevId: 682d3918a3f018fd6c7d1d6a2b9ecdb6fca66df1
This commit is contained in:
parent
7a0eb6847a
commit
aa77448b2f
@ -741,15 +741,23 @@ Once authenticated, all operations are allowed without further check, until the
|
||||
|
||||
## Popular providers and known issues
|
||||
|
||||
### AWS Cognito
|
||||
|
||||
AWS Cognito and ELB (Elastic Load Balancer) has a known issue where it adds additional padding
|
||||
(using = characters) to the JWT token that is generated from Cognito.
|
||||
|
||||
This is a known issue and is documented by AWS in [their
|
||||
docs](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#user-claims-encoding):
|
||||
|
||||
> Standard libraries are not compatible with the padding that is included in the Application Load
|
||||
> Balancer authentication token in JWT format.
|
||||
|
||||
Currently, there is no workaround possible in Hasura. Even if Hasura strips the additional padding
|
||||
the signature verification of the token would fail (as Hasura had to tamper the token).
|
||||
|
||||
### Firebase
|
||||
|
||||
This page of the Firebase
|
||||
[docs](https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library)
|
||||
mentions that JWKs are published under:
|
||||
|
||||
[https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com](https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com)
|
||||
|
||||
But that is a non-standard format. Firebase also publishes the same certificates as the proper JWK format under:
|
||||
Firebase publishes the JWKs at:
|
||||
|
||||
[https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com](https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com)
|
||||
|
||||
@ -768,46 +776,6 @@ If you are using Firebase and Hasura, use this config:
|
||||
Refer to the [Auth0 JWT Integration tutorial](https://hasura.io/learn/graphql/hasura-authentication/integrations/auth0/)
|
||||
for a detailed guide on integrating Auth0 with Hasura.
|
||||
|
||||
Auth0 publishes their JWK under:
|
||||
|
||||
`https://<your-auth0-domain>.auth0.com/.well-known/jwks.json`
|
||||
|
||||
But they have a
|
||||
[bug where the certificate thumbprint does not match](https://community.auth0.com/t/certificate-thumbprint-is-longer-than-20-bytes/7794/3).
|
||||
Hence, currently this URL does not work with Hasura.
|
||||
|
||||
Current workaround is - download the X590 certificate from:
|
||||
|
||||
`https://<your-auth0-domain>.auth0.com/pem`
|
||||
|
||||
And use it in the `key` field:
|
||||
|
||||
```json
|
||||
{
|
||||
"type":"RS512",
|
||||
"key": "-----BEGIN CERTIFICATE-----
|
||||
MIIDDTCAfWgAwIBAgIJhNlZ11IDrxbMA0GCSqSIb3DQEBCwUAMCQxIjAgBgNV
|
||||
BAMTGXlc3QtaGdlLWp3C5ldS5hdXRoMC5jb20HhcNMTgwNzMwMTM1MjM1WhcN
|
||||
MzIwND3MTM1MjM1WjAkSIwIAYDVQQDExl0ZXNLWhnZS1qd3QuZXUuYXV0aDAu
|
||||
Y29tMIBIjANBgkqhkiGw0BAQEFAAOCAQ8AMIICgKCAQEA13CivdSkNzRnOnR5
|
||||
ZNiReD+AgbL7BWjRiw3RwjxRp5PYzvAGuj94yR6LRh3QybYtsMFbSg5J7fNq6
|
||||
Ld6yMpMrUu8CBOnYY456b/2jlf+Vp8vEQuKvPOOw8Ev6x7X3blcuXCELSwyL3
|
||||
AGHq9OP2RV6V6CIE863zzuYH5HDLzU35oMZqogJVRJM0+6besH6TnSTNiA7xi
|
||||
BAqFaiRNQRVi1CAUa0bkN1XRp4AFy7d63VldOsM+8QnCNHySdDr1XevVuq6DK
|
||||
LQyGexFy4niALgHV0Q7A+xP1c2G6rJomZmn4j1avnlBpU87E58JMrRHOCj+5m
|
||||
Xj22/QDAQABo0IwQDAPgNVHRMBAf8EBTADAQHMB0GA1UdDgQWBBT6FvNkuUgu
|
||||
tk3OYQi4lo5aOgwazAOgNVHQ8BAf8EBAMCAoQDQYJKoZIhvcNAQELBQADggEB
|
||||
ADCLj+L22pEKyqaIUlhUJh7DAiDSLafy0fw56CntzPhqiZVVRlhxeAKidkCLV
|
||||
r9IEbRuxUoXiQSezPqM//9xHegMp0f2VauVCFg7EpUanYwvqFqjy9LWgH+SBz
|
||||
4uroLSZ5g1EPsHtlArLChA90caTX4e7Z7Xlu8G2kHRJB5nC7ycdbMUvEWBMeI
|
||||
tn/pcbmZ3/vlgj4UTEnURe2UPmSJpxmPwXqBcvwdKHRMgFXhZxojWCi0z4ftf
|
||||
f8t8UJIcbEblnkYe7wzYy8tOXoMMHqGSisCdkp/866029rJsKbwd8rVIyKNC5
|
||||
frGYaw+0cxO6/WvSir0eA=
|
||||
-----END CERTIFICATE-----
|
||||
"
|
||||
}
|
||||
```
|
||||
|
||||
### Clerk
|
||||
|
||||
Clerk integrates with Hasura GraphQL Engine using JWTs.
|
||||
|
Loading…
Reference in New Issue
Block a user