diff --git a/docs/docs/auth/authentication/jwt.mdx b/docs/docs/auth/authentication/jwt.mdx index d40df6f8223..7ae5d4b4fde 100644 --- a/docs/docs/auth/authentication/jwt.mdx +++ b/docs/docs/auth/authentication/jwt.mdx @@ -741,15 +741,23 @@ Once authenticated, all operations are allowed without further check, until the ## Popular providers and known issues +### AWS Cognito + +AWS Cognito and ELB (Elastic Load Balancer) has a known issue where it adds additional padding +(using = characters) to the JWT token that is generated from Cognito. + +This is a known issue and is documented by AWS in [their +docs](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#user-claims-encoding): + +> Standard libraries are not compatible with the padding that is included in the Application Load +> Balancer authentication token in JWT format. + +Currently, there is no workaround possible in Hasura. Even if Hasura strips the additional padding +the signature verification of the token would fail (as Hasura had to tamper the token). + ### Firebase -This page of the Firebase -[docs](https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library) -mentions that JWKs are published under: - -[https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com](https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com) - -But that is a non-standard format. Firebase also publishes the same certificates as the proper JWK format under: +Firebase publishes the JWKs at: [https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com](https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com) @@ -768,46 +776,6 @@ If you are using Firebase and Hasura, use this config: Refer to the [Auth0 JWT Integration tutorial](https://hasura.io/learn/graphql/hasura-authentication/integrations/auth0/) for a detailed guide on integrating Auth0 with Hasura. -Auth0 publishes their JWK under: - -`https://.auth0.com/.well-known/jwks.json` - -But they have a -[bug where the certificate thumbprint does not match](https://community.auth0.com/t/certificate-thumbprint-is-longer-than-20-bytes/7794/3). -Hence, currently this URL does not work with Hasura. - -Current workaround is - download the X590 certificate from: - -`https://.auth0.com/pem` - -And use it in the `key` field: - -```json -{ - "type":"RS512", - "key": "-----BEGIN CERTIFICATE----- -MIIDDTCAfWgAwIBAgIJhNlZ11IDrxbMA0GCSqSIb3DQEBCwUAMCQxIjAgBgNV -BAMTGXlc3QtaGdlLWp3C5ldS5hdXRoMC5jb20HhcNMTgwNzMwMTM1MjM1WhcN -MzIwND3MTM1MjM1WjAkSIwIAYDVQQDExl0ZXNLWhnZS1qd3QuZXUuYXV0aDAu -Y29tMIBIjANBgkqhkiGw0BAQEFAAOCAQ8AMIICgKCAQEA13CivdSkNzRnOnR5 -ZNiReD+AgbL7BWjRiw3RwjxRp5PYzvAGuj94yR6LRh3QybYtsMFbSg5J7fNq6 -Ld6yMpMrUu8CBOnYY456b/2jlf+Vp8vEQuKvPOOw8Ev6x7X3blcuXCELSwyL3 -AGHq9OP2RV6V6CIE863zzuYH5HDLzU35oMZqogJVRJM0+6besH6TnSTNiA7xi -BAqFaiRNQRVi1CAUa0bkN1XRp4AFy7d63VldOsM+8QnCNHySdDr1XevVuq6DK -LQyGexFy4niALgHV0Q7A+xP1c2G6rJomZmn4j1avnlBpU87E58JMrRHOCj+5m -Xj22/QDAQABo0IwQDAPgNVHRMBAf8EBTADAQHMB0GA1UdDgQWBBT6FvNkuUgu -tk3OYQi4lo5aOgwazAOgNVHQ8BAf8EBAMCAoQDQYJKoZIhvcNAQELBQADggEB -ADCLj+L22pEKyqaIUlhUJh7DAiDSLafy0fw56CntzPhqiZVVRlhxeAKidkCLV -r9IEbRuxUoXiQSezPqM//9xHegMp0f2VauVCFg7EpUanYwvqFqjy9LWgH+SBz -4uroLSZ5g1EPsHtlArLChA90caTX4e7Z7Xlu8G2kHRJB5nC7ycdbMUvEWBMeI -tn/pcbmZ3/vlgj4UTEnURe2UPmSJpxmPwXqBcvwdKHRMgFXhZxojWCi0z4ftf -f8t8UJIcbEblnkYe7wzYy8tOXoMMHqGSisCdkp/866029rJsKbwd8rVIyKNC5 -frGYaw+0cxO6/WvSir0eA= ------END CERTIFICATE----- -" -} -``` - ### Clerk Clerk integrates with Hasura GraphQL Engine using JWTs.