I am currently building chat application with microservice architecture, where auth(login and signup) service and chat service are separated using Graphql. I was trying to attach a JWT to the request header of query, mutation and subscription to extract user id from it to use for inner logic in the services. However, I cannot properly set the token to the header or subscription parameter in Altair Graphql, although token is successfully set for the query and mutation in exact same manner.
My questions are;
Is there any way to attach JWT token to the request header?
Is there any better way to send JWT token to the graphql subscription request?
Moreover, the ways I tried to set the token for subscription request are the following;
Thank you.
The websocket API doesn't support setting arbitrary headers in the upgrade request. This also includes authentication related headers.
There are common patterns taking to secure websocket applications that can be used instead.
With regards to GraphQL subscription over websocket, depending on your implementation, you can pass the authentication credentials in the connection parameters. One example is what is done in Apollo GraphQL via both graphql-ws and subscriptions-transport-ws.
In conclusion, this is not something that Altair GraphQL has any control over, but it's a limitation of the websocket API itself.
Hope that helps.
Related
So I'm developing an API using NestJS. Currently, my way of authenticating users is via Passport Local strategy. Simple enough. However, my app has a possible integration with 3rd party applications. Which means, others may create an app that would request data via my API. And the only reasonable way that I can think of, for them to be able to do so is via JWT. My question is, is there a way in NestJS for a guard to handle multiple strategies?
Say, I have this route: GET https://www.myhost.com/api/employee. If my first party application tries to access this route, the guard would look for a session Cookie from the request header. But, if a 3rd party application tries to send a request on the same route, the guard would look for bearer token inside Authorization header
I want to use auth from google firebase, and integrate it with spring boot.
I am not sure that I have good idea how to implement roles/authorities.
I have in mind this scenario:
On success authentication with firebase, frontend send request to secured spring backend endpoint, and data on this endpoint contains which roles should user have, so frontend use this data to set claims for user. Backend use claims to authorize user when accessing endpoints.
Is this okey, or is there faster/better solution?
That sounds like a good approach. Have a look at the Firebase documentation on verifying ID tokens as that'll be your starting point once your backend receives the token from the client.
The only addition I can make at this point is that many of Firebase's own backend services cache recently decoded tokens (with the undecoded token as the key) to allow subsequent requests to more quickly look up the information for that token. While this is not required, it's an easy speed up once you're ready for that.
I'm building out a backend REST API app, and it takes in requests from a client that uses Firebase Authentication, which will be passing in the JWT Token in the headers of all requests.
Should I still require UserID in the request body for requests, or should I just have the JWT Token be my source for decoding and fetching the UserID for all requests?
Using SpringBoot, and I think I can create a filter to decode the JWT for all requests and then create a User object that can be referenced throughout the chain.
But I'm not sure if it still makes sense to also require the UserID, if anything just as a point of documentation to say the UserID is being used here to handle business logic. Watcha think?
I don't think this would make any sense. You wouldn't actually use the value from the request body anywhere in the code, would you? Since your concern seems to be abobut documentation I'd rather clearly describe that resources in your application are bound to the authenticated user.
I'm developing backend for oauth2 client. I'm using authorization_grant flow with PKCE extension. I'm trying to implement it in such way that code verifier and code challenge is generated on clients side. So i have to add additional parameters to my token request (the second request, when input is authorization code and my application exchange it for access token).
My app will have to take this code_verifier from request param and pass it to authorization server with authorization code, client id, and client secret.
So now I'm struggling with customizing spring-security-oauth2-client to add additional parameter. There is way to add such parameters to authorization request by implementing OAuth2AuthorizationRequestResolver, but is there analogical way for adding parameters to token request?
Or maybe should i implement this endpoint manually?
I feel your pain, since Spring OAuth Security is often poorly documented for common use cases. One option you might consider is to provide a custom Spring filter that uses the open source nimbusds libraries, which have very good documentation and are easy to use.
I am currently developing an API that I plan to secure using oauth2.
I have chosen: https://github.com/lucadegasperi/oauth2-server-laravel/
I have managed to secure the endpoint (using before=>oauth in my api routes) by following the installation guide but I am at a loss as to how am I gonna be able to authenticate and access the endpoint.
I do understand that you will first need to request an access_token by sending a client_id and client_secret but what I don't get is where do I set those on the oauth server?
I see the oauth controller has endpoints for these like:
http://somedomain.com/oauth/authorize
http://somedomain.com/oauth/access_token
But I am clueless with what to do with them. I only managed to arrive at the conclusion that it needs a client_id, client_secret, and stuff about scopes.
Where can I set these values for the api client to use?
Thank you for your help in advance.
I don't know Laravel, but in general, the authorization endpoint (in your case, http://somedomain.com/oauth/authorize) behaves as described in RFC 6749.
The specification defines four flows. If you use Authorization Code Flow among the flows, you should access the authorization endpoint with the following request parameters.
response_type=code (required)
client_id={your-client-id} (required)
scope={space-delimited-scope-names} (optional)
redirect_uri={your-redirect-uri} (conditionally optional)
state={any-arbitrary-string} (optional)
For example,
http://somedomain.com/oauth/authorize?response_type=code&client_id=your-client-id&scope=profile+email
The authorization endpoint generates an authorization code and returns it to your browser.
The next step is to access the token endpoint (in your case, http://somedomain.com/oauth/access_token) with the authorization code which has been issued from the authorization endpoint. Like this,
POST
http://somedomain.com/oauth/access_token?grant_type=authorization_code&code=issued-authorization-code&client_id=your-client-id&client_secret=your-client-secret
Anyway, I recommend you read RFC 6749.