mirror of
https://github.com/hasura/graphql-engine.git
synced 2024-10-26 10:20:54 +03:00
docs: document known issue of invalid JWT padding by AWS Cognito + ELB
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/10919 GitOrigin-RevId: 682d3918a3f018fd6c7d1d6a2b9ecdb6fca66df1
This commit is contained in:
parent
7a0eb6847a
commit
aa77448b2f
@ -741,15 +741,23 @@ Once authenticated, all operations are allowed without further check, until the
|
|||||||
|
|
||||||
## Popular providers and known issues
|
## Popular providers and known issues
|
||||||
|
|
||||||
|
### AWS Cognito
|
||||||
|
|
||||||
|
AWS Cognito and ELB (Elastic Load Balancer) has a known issue where it adds additional padding
|
||||||
|
(using = characters) to the JWT token that is generated from Cognito.
|
||||||
|
|
||||||
|
This is a known issue and is documented by AWS in [their
|
||||||
|
docs](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#user-claims-encoding):
|
||||||
|
|
||||||
|
> Standard libraries are not compatible with the padding that is included in the Application Load
|
||||||
|
> Balancer authentication token in JWT format.
|
||||||
|
|
||||||
|
Currently, there is no workaround possible in Hasura. Even if Hasura strips the additional padding
|
||||||
|
the signature verification of the token would fail (as Hasura had to tamper the token).
|
||||||
|
|
||||||
### Firebase
|
### Firebase
|
||||||
|
|
||||||
This page of the Firebase
|
Firebase publishes the JWKs at:
|
||||||
[docs](https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library)
|
|
||||||
mentions that JWKs are published under:
|
|
||||||
|
|
||||||
[https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com](https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com)
|
|
||||||
|
|
||||||
But that is a non-standard format. Firebase also publishes the same certificates as the proper JWK format under:
|
|
||||||
|
|
||||||
[https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com](https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com)
|
[https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com](https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com)
|
||||||
|
|
||||||
@ -768,46 +776,6 @@ If you are using Firebase and Hasura, use this config:
|
|||||||
Refer to the [Auth0 JWT Integration tutorial](https://hasura.io/learn/graphql/hasura-authentication/integrations/auth0/)
|
Refer to the [Auth0 JWT Integration tutorial](https://hasura.io/learn/graphql/hasura-authentication/integrations/auth0/)
|
||||||
for a detailed guide on integrating Auth0 with Hasura.
|
for a detailed guide on integrating Auth0 with Hasura.
|
||||||
|
|
||||||
Auth0 publishes their JWK under:
|
|
||||||
|
|
||||||
`https://<your-auth0-domain>.auth0.com/.well-known/jwks.json`
|
|
||||||
|
|
||||||
But they have a
|
|
||||||
[bug where the certificate thumbprint does not match](https://community.auth0.com/t/certificate-thumbprint-is-longer-than-20-bytes/7794/3).
|
|
||||||
Hence, currently this URL does not work with Hasura.
|
|
||||||
|
|
||||||
Current workaround is - download the X590 certificate from:
|
|
||||||
|
|
||||||
`https://<your-auth0-domain>.auth0.com/pem`
|
|
||||||
|
|
||||||
And use it in the `key` field:
|
|
||||||
|
|
||||||
```json
|
|
||||||
{
|
|
||||||
"type":"RS512",
|
|
||||||
"key": "-----BEGIN CERTIFICATE-----
|
|
||||||
MIIDDTCAfWgAwIBAgIJhNlZ11IDrxbMA0GCSqSIb3DQEBCwUAMCQxIjAgBgNV
|
|
||||||
BAMTGXlc3QtaGdlLWp3C5ldS5hdXRoMC5jb20HhcNMTgwNzMwMTM1MjM1WhcN
|
|
||||||
MzIwND3MTM1MjM1WjAkSIwIAYDVQQDExl0ZXNLWhnZS1qd3QuZXUuYXV0aDAu
|
|
||||||
Y29tMIBIjANBgkqhkiGw0BAQEFAAOCAQ8AMIICgKCAQEA13CivdSkNzRnOnR5
|
|
||||||
ZNiReD+AgbL7BWjRiw3RwjxRp5PYzvAGuj94yR6LRh3QybYtsMFbSg5J7fNq6
|
|
||||||
Ld6yMpMrUu8CBOnYY456b/2jlf+Vp8vEQuKvPOOw8Ev6x7X3blcuXCELSwyL3
|
|
||||||
AGHq9OP2RV6V6CIE863zzuYH5HDLzU35oMZqogJVRJM0+6besH6TnSTNiA7xi
|
|
||||||
BAqFaiRNQRVi1CAUa0bkN1XRp4AFy7d63VldOsM+8QnCNHySdDr1XevVuq6DK
|
|
||||||
LQyGexFy4niALgHV0Q7A+xP1c2G6rJomZmn4j1avnlBpU87E58JMrRHOCj+5m
|
|
||||||
Xj22/QDAQABo0IwQDAPgNVHRMBAf8EBTADAQHMB0GA1UdDgQWBBT6FvNkuUgu
|
|
||||||
tk3OYQi4lo5aOgwazAOgNVHQ8BAf8EBAMCAoQDQYJKoZIhvcNAQELBQADggEB
|
|
||||||
ADCLj+L22pEKyqaIUlhUJh7DAiDSLafy0fw56CntzPhqiZVVRlhxeAKidkCLV
|
|
||||||
r9IEbRuxUoXiQSezPqM//9xHegMp0f2VauVCFg7EpUanYwvqFqjy9LWgH+SBz
|
|
||||||
4uroLSZ5g1EPsHtlArLChA90caTX4e7Z7Xlu8G2kHRJB5nC7ycdbMUvEWBMeI
|
|
||||||
tn/pcbmZ3/vlgj4UTEnURe2UPmSJpxmPwXqBcvwdKHRMgFXhZxojWCi0z4ftf
|
|
||||||
f8t8UJIcbEblnkYe7wzYy8tOXoMMHqGSisCdkp/866029rJsKbwd8rVIyKNC5
|
|
||||||
frGYaw+0cxO6/WvSir0eA=
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
"
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
### Clerk
|
### Clerk
|
||||||
|
|
||||||
Clerk integrates with Hasura GraphQL Engine using JWTs.
|
Clerk integrates with Hasura GraphQL Engine using JWTs.
|
||||||
|
Loading…
Reference in New Issue
Block a user