diff --git a/docs/auth/jwt/jwt-configuration.mdx b/docs/auth/jwt/jwt-configuration.mdx index ddba4dff9..717e8ad52 100644 --- a/docs/auth/jwt/jwt-configuration.mdx +++ b/docs/auth/jwt/jwt-configuration.mdx @@ -21,24 +21,29 @@ This section describes the JSON Web Token (JWT) configuration options available Example JSON Web Token (JWT) payload configuration definition: -```json -{ - "type": "optional-type-of-key", - "key": "optional-key-as-string", - "jwk_url": "optional-url-to-refresh-jwks", - "sub": "optional-string-to-verify-subject", - "claims_namespace": "optional-key-name-in-claims", - "claims_namespace_path": "optional-json-path-to-the-claims", - "claims_format": "json|stringified_json", - "audience": "optional-string-or-list-of-strings-to-verify-audience", - "issuer": "optional-string-to-verify-issuer", - "claims_map": "optional-object-of-session-variable-to-claim-jsonpath-or-literal-value", - "allowed_skew": "optional-number-of-seconds-in-integer", - "header": "optional-key-to-indicate-cookie-or-authorization-header" -} +```yaml title="globals/metadata/auth-config.hml" +kind: AuthConfig +version: v2 +definition: + mode: + jwt: + claimsConfig: + namespace: + claimsFormat: Json + location: /claims.jwt.hasura.io + tokenLocation: + type: BearerAuthorization + key: + fixed: + algorithm: HS256 + key: + value: ultra-secret-very-secret-super-secret-key + audience: ["myapp-1234", "myapp-6789"] + allowedSkew: 60 + issuer: https://my-auth-server.com ``` -As a minimum, either the `type` **and** `key` values OR the `jwk_url` value **have to be present**. +As a minimum, either the `claimsConfig`, `tokenLocation`, **and** `key` values **have to be present**. ## Example Decoded Payload @@ -73,7 +78,7 @@ of this example JWT token. The signature secret to verify this token with the HS The `x-hasura-role` value can be sent as a plain **header** in the request to indicate the role which should be used. When your auth server generates the JWT, the custom claims in the JWT **must contain the following** in a custom -namespace. This namespace can be any string you choose, as long as it matches the `claims_namespace` defined in your +namespace. This namespace can be any string you choose, as long as it matches the `namespace.location` defined in your AuthConfig. Using `claims.jwt.hasura.io` will match our examples. 1. A `x-hasura-default-role` field. The role that will be used when the optional `x-hasura-role` _header_ is **not @@ -128,55 +133,32 @@ your auth provider. ## Hasura JWT configuration options -### type {#jwt-json-type} +### claimsConfig -This specifies the cryptographic signing algorithm which is used to sign the JWTs. Valid values are : `HS256`, `HS384`, -`HS512`, `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `PS256`, `PS384`, `PS512`, `EdDSA`. +You can specify where the engine should look for the claims within the decoded token either with one of `namespace` and `locations` options. -### key {#jwt-json-key} +#### namespace {#jwt-claims-config-namespace} -- In the case of a symmetric key (i.e. a HMAC-based key), just the key as is. (e.g. -"abcdef..."). The key must be long - enough for the chosen algorithm, (e.g. for HS256 it must be at least 32 characters long). -- In the case of an asymmetric key (RSA, EdDSA, ECDSA etc.), only the **public** key, in a PEM-encoded string or as an - X509 certificate. - -This is an optional field. You can also provide a URL to fetch JWKs from using the `jwk_url` field. - -### jwk_url {#jwt-json-jwk_url} - -An URL where a provider publishes their JWKs (JSON Web Keys - which are used for signing the JWTs). The URL **must** -publish the JWKs in the standard format as described [here](https://tools.ietf.org/html/rfc7517). - -This is optional as you have the alternative of also providing the key (certificate, PEM-encoded public key) as a -string - in the [`key`](#jwt-json-key) field along with the [`type`](#jwt-json-type). - -DDN does not currently support rotating JWKs. +The `namespace` option is used when all of the Hasura claims are present in a single object within the decoded JWT. +Our example uses `claims.jwt.hasura.io` in the [Example Decoded Payload](#example-decoded-payload). -### JWK publisher URLs - -- Auth0 publishes their JWK url at: `https://.auth0.com`. -- Firebase publishes their JWK url at: - `https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com`. - -### claims_namespace {#claims-namespace} - -This namespace can be any string you choose, as long as it matches the `claims_namespace` defined in your AuthConfig. -Using `claims.jwt.hasura.io` will match our examples. - -### claims_format - -This is an optional field, with only the following possible values allowed: `json`, `stringified_json` +```yaml +claimsConfig: + namespace: + claimsFormat: Json + location: /claims.jwt.hasura.io +``` -The default is `json`. +The `location` field indicates the location of the namespace object that uses [RFC 6901 JSON Pointer](https://datatracker.ietf.org/doc/html/rfc6901) string syntax. -This is to indicate whether the Hasura-specific claims are a regular JSON object or a stringified JSON. +The `claimsFormat` field indicates whether the Hasura-specific claims are a regular JSON object or a stringified JSON. The following possible values are allowed: `Json`, `StringifiedJson`. This is required because providers like AWS Cognito only allow strings in the JWT claims. [See #1176](https://github.com/hasura/graphql-engine/issues/1176). -Example: +**Example**: -If `claims_format` is `json` then the JWT claims should look like: +If `claimsFormat` is `Json` then the JWT claims should look like: ```json { @@ -194,7 +176,7 @@ If `claims_format` is `json` then the JWT claims should look like: } ``` -If `claims_format` is `stringified_json` then the JWT claims should look like: +If `claimsFormat` is `StringifiedJson` then the JWT claims should look like: ```json { @@ -206,107 +188,18 @@ If `claims_format` is `stringified_json` then the JWT claims should look like: } ``` -### audience - -This is an optional field. Certain providers might set a claim which indicates the intended audience for the JWT. This -can be checked by setting this field. - -When this field is set, during the verification process of the JWT, the `aud` claim in the JWT will be checked to see -whether it is equal to the `audience` field given in the configuration. If they are not equal then the JWT will be -rejected. - -See the [RFC](https://tools.ietf.org/html/rfc7519#section-4.1.3) for more details. - -This field can be a string, or a list of strings. - -Examples: - -```json -{ - "jwk_url": "https://......", - "audience": "myapp-1234" -} -``` - -or - -```json -{ - "jwk_url": "https://......", - "audience": ["myapp-1234", "myapp-6789"] -} -``` - -:::danger Audience Security Vulnerability - -Certain JWT providers share JWKs between multiple tenants. They use the `aud` claim of the JWT to specify the intended -audience. Setting the `audience` field in the Hasura JWT configuration will make sure that the `aud` claim from the JWT -is also checked during verification. Not doing this check will allow JWTs issued for other tenants to be valid as well. - -In these cases, you **MUST** set the `audience` field to the appropriate value. Failing to do so is a **major security -vulnerability**. - -::: - -### issuer - -This is an optional field. It takes a string value. - -When this field is set, during the verification process of the JWT, the `iss` claim in the JWT will be checked to see -whether it is equal to the `issuer` field given in the configuration. If they are not equal then the JWT will be -rejected. - -See [RFC](https://tools.ietf.org/html/rfc7519#section-4.1.1) for more details. - -Examples: - -```json -{ - "jwk_url": "https://......", - "issuer": "https://my-auth-server.com" -} -``` - -#### Issuer Notes +#### locations {#jwt-claims-config-locations} -- Certain providers require you to verify the `iss` claim on the JWT. To do that you can set this field to the - appropriate value. -- A JWT configuration without an issuer will match any issuer field present in an incoming JWT. -- An incoming JWT without an issuer specified will match a configuration even if it specifies an issuer. - -### claims_map +This `locations` option can be used when Hasura claims are not all present in the single object, but individual claims are provided a JSON pointer within the decoded JWT. +In this option, you can indicate: +- a literal value. +- or a JSON pointer path for individual claims and an optional default value if the claim doesn't exist. -This is an optional field. Certain providers might not allow adding custom claims. In such a case, you can map Hasura -session variables with existing JWT claims using `claims_map`. The `claims_map` is a JSON object where keys are session -variables and values can be a JSON path (with a default value option, when the key specified by the JSON path doesn't -exist) or a literal value. +`x-hasura-default-role` and `x-hasura-allowed-roles` claims are required. Other custom claims are optionally configured. The literal values should be of type `String`, except for the `x-hasura-allowed-roles` claim which expects a string array. -The value of a claim referred by a JSON path must be a string. To use the JSON path value, the path needs to be given in -a JSON object with `path` as the key and the JSON path as the value: - -```json -{ - "path": "$.user.all_roles" -} -``` - -```json -{ - "path": "$.roles.default", - "default": "user" -} -``` - -:::info Claims map precedence - -If `claims_map` is provided in the JWT config, `claims_namespace`/`claims_namespace_path` and `claims_format` will be -ignored. - -::: - **Example: JWT config with JSON path values** ```json @@ -325,18 +218,20 @@ ignored. ``` The mapping for `x-hasura-allowed-roles`, `x-hasura-default-role` and `x-hasura-user-id` session variables can be -specified in the `claims_map` configuration as follows: +specified in the `locations` configuration as follows: -```json -{ - "type": "RS512", - "key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugd\nUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQs\nHUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5D\no2kQ+X5xK9cipRgEKwIDAQAB\n-----END PUBLIC KEY-----\n", - "claims_map": { - "x-hasura-allowed-roles": { "path": "$.hasura.all_roles" }, - "x-hasura-default-role": { "path": "$.hasura.all_roles[0]" }, - "x-hasura-user-id": { "path": "$.user.id" } - } -} +```yaml +claimsConfig: + locations: + x-hasura-default-role: + path: + path: /hasura/all_roles/0 + x-hasura-allowed-roles: + path: + path: /hasura/all_roles + x-hasura-user-id: + path: + path: /user/id ``` **Example: JWT config with JSON path values and default values** @@ -353,20 +248,23 @@ specified in the `claims_map` configuration as follows: } ``` -```json -{ - "type": "RS512", - "key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugd\nUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQs\nHUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5D\no2kQ+X5xK9cipRgEKwIDAQAB\n-----END PUBLIC KEY-----\n", - "claims_map": { - "x-hasura-allowed-roles": { "path": "$.hasura.all_roles" }, - "x-hasura-default-role": { "path": "$.hasura.all_roles[0]" }, - "x-hasura-user-id": { "path": "$.user.id", "default": "ujdh739kd" } - } -} +```yaml +claimsConfig: + locations: + x-hasura-default-role: + path: + path: /hasura/all_roles/0 + x-hasura-allowed-roles: + path: + path: /hasura/all_roles + x-hasura-user-id: + path: + path: /user/id + default: ujdh739kd ``` -In the above case, since the `$.user.id` doesn't exist in the JWT token, the default value of the `x-hasura-user-id` i.e -"ujdh739kd" will be used +In the above case, since the `/user/id` doesn't exist in the JWT token, the default value of the `x-hasura-user-id` i.e +`ujdh739kd` will be used **Example: JWT config containing literal values** @@ -384,66 +282,191 @@ In the above case, since the `$.user.id` doesn't exist in the JWT token, the def The corresponding JWT config should be: -```json -{ - "type": "RS512", - "key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugd\nUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQs\nHUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5D\no2kQ+X5xK9cipRgEKwIDAQAB\n-----END PUBLIC KEY-----\n", - "claims_map": { - "x-hasura-allowed-roles": ["user", "editor"], - "x-hasura-default-role": "user", - "x-hasura-user-id": { "path": "$.user.id" } - } -} +```yaml +claimsConfig: + locations: + x-hasura-default-role: + literal: user + x-hasura-allowed-roles: + literal: ["user", "editor"] + x-hasura-user-id: + path: + path: /user/id ``` In the above example, the `x-hasura-allowed-roles` and `x-hasura-default-role` values are set in the JWT config and the value of the `x-hasura-user-id` is a JSON path to the value in the JWT token. -### allowed_skew +### tokenLocation -`allowed_skew` is an optional field to provide some leeway (to account for clock skews) while comparing the JWT expiry -time. This field expects an integer value which will be the number of seconds of the skew value. +Indicates the token location where request header to read the JWT from. + +The following are the possible values: -### header +#### BearerAuthorization -This is an optional field, which indicates which request header to read the JWT from. This field is a stringified JSON -object. +In this mode, Hasura expects an `Authorization` header with a `Bearer` token. -The following are the possible values: +```yaml +tokenLocation: + type: BearerAuthorization +``` -- `{"type": "Authorization"}` -- `{"type": "Cookie", "name": "cookie_name" }` -- `{"type": "CustomHeader", "name": "header_name" }` +The JWT header should look like: -Default is `{"type": "Authorization"}`. +```none +Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWI... +``` -In the default mode, Hasura expects an `Authorization` header with a `Bearer` token. +#### Cookie In the cookie mode, Hasura will try to parse the cookie header with the given cookie name. The value of the cookie should be the exact JWT. -In the custom header mode, Hasura expects a `header_name` header with the exact JWT token value. - -Example: +```yaml +tokenLocation: + type: Cookie + name: cookie_name +``` -If `header` is `{"type": "Authorization"}` then JWT header should look like: +The JWT header should look like: ```none -Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWI... +Cookie: cookie_name=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWI... ``` -If `header` is `{"type": "Cookie", "name": "cookie_name" }` then JWT header should look like: +#### Header -```none -Cookie: cookie_name=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWI... +In the custom header mode, Hasura expects a `header_name` header with the exact JWT token value. + +```yaml +tokenLocation: + type: Header + name: header_name ``` -If `header` is `{"type": "CustomHeader", "name": "header_name" }` then JWT header should look like: +The JWT header should look like: ```none header_name: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWI... ``` +### key {#jwt-json-key} + +This field specifies the JWT key configuration according to which the incoming JWT will be decoded. +You can configure either a `fixed` algorithm key or a remote JWK URL. + +#### fixed {#jwt-json-key-fixed} + +In this option, you must indicate a JWT key and its algorithm so the engine can decode and verify the JWT token. + +```yaml +key: + fixed: + algorithm: HS256 + key: + value: ultra-secret-very-secret-super-secret-key + # valueFromEnv: AUTH_JWT_KEY +``` + +The `algorithm` field specifies the cryptographic signing algorithm which is used to sign the JWTs. Valid values are: `HS256`, `HS384`, +`HS512`, `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `PS256`, `PS384`, `PS512`, `EdDSA`. + +The `key` field can be a literal value or an environment variable name. + +- In the case of a symmetric key (i.e. a HMAC-based key), just the key as is. (e.g. -"abcdef..."). The key must be long + enough for the chosen algorithm, (e.g. for HS256 it must be at least 32 characters long). +- In the case of an asymmetric key (RSA, EdDSA, ECDSA etc.), only the **public** key, in a PEM-encoded string or as an + X509 certificate. + +#### jwkFromUrl {#jwt-json-jwk_url} + +An URL where a provider publishes their JWKs (JSON Web Keys - which are used for signing the JWTs). The URL **must** +publish the JWKs in the standard format as described [here](https://tools.ietf.org/html/rfc7517). + +For example: + +- Auth0 publishes their JWK url at: `https://.auth0.com`. +- Firebase publishes their JWK url at: + `https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com`. + +```yaml +key: + jwkFromUrl: https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com +``` + +DDN does not currently support rotating JWKs. + +### audience + +This is an optional field. Certain providers might set a claim which indicates the intended audience for the JWT. This +can be checked by setting this field. + +When this field is set, during the verification process of the JWT, the `aud` claim in the JWT will be checked to see +whether it is equal to the `audience` field given in the configuration. If they are not equal then the JWT will be +rejected. + +See the [RFC](https://tools.ietf.org/html/rfc7519#section-4.1.3) for more details. + +This field must be a list of strings. + +Examples: + +```yaml +kind: AuthConfig +version: v2 +definition: + mode: + jwt: + # ... + audience: ["myapp-1234", "myapp-6789"] +``` + +:::danger Audience Security Vulnerability + +Certain JWT providers share JWKs between multiple tenants. They use the `aud` claim of the JWT to specify the intended +audience. Setting the `audience` field in the Hasura JWT configuration will make sure that the `aud` claim from the JWT +is also checked during verification. Not doing this check will allow JWTs issued for other tenants to be valid as well. + +In these cases, you **MUST** set the `audience` field to the appropriate value. Failing to do so is a **major security +vulnerability**. + +::: + +### issuer + +This is an optional field. It takes a string value. + +When this field is set, during the verification process of the JWT, the `iss` claim in the JWT will be checked to see +whether it is equal to the `issuer` field given in the configuration. If they are not equal then the JWT will be +rejected. + +See [RFC](https://tools.ietf.org/html/rfc7519#section-4.1.1) for more details. + +Examples: + +```yaml +kind: AuthConfig +version: v2 +definition: + mode: + jwt: + # ... + issuer: https://my-auth-server.com +``` + +#### Issuer Notes + +- Certain providers require you to verify the `iss` claim on the JWT. To do that you can set this field to the + appropriate value. +- A JWT configuration without an issuer will match any issuer field present in an incoming JWT. +- An incoming JWT without an issuer specified will match a configuration even if it specifies an issuer. + +### allowed_skew + +`allowedSkew` is an optional field to provide some leeway (to account for clock skews) while comparing the JWT expiry +time. This field expects an integer value which will be the number of seconds of the skew value. + ### Hasura JWT Config Examples #### HMAC-SHA based @@ -451,11 +474,23 @@ header_name: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWI... Your auth server is using HMAC-SHA algorithms to sign JWTs, and is using a 256-bit key. In this case, the JWT config will look like: -```json -{ - "type": "HS256", - "key": "3EK6FD+o0+c7tzBNVfjpMkNDi2yARAAKzQlk8O2IKoxQu4nF7EdAh8s3TwpHwrdWT6R" -} +```yaml +kind: AuthConfig +version: v2 +definition: + mode: + jwt: + claimsConfig: + namespace: + claimsFormat: Json + location: /claims.jwt.hasura.io + tokenLocation: + type: BearerAuthorization + key: + fixed: + algorithm: HS256 + key: + value: 3EK6FD+o0+c7tzBNVfjpMkNDi2yARAAKzQlk8O2IKoxQu4nF7EdAh8s3TwpHwrdWT6R ``` The `key` is the actual shared secret, which is used by Hasura and the external auth server. @@ -467,28 +502,62 @@ have the public key. **Example 1**: public key in PEM format (not OpenSSH format): -```json -{ - "type": "RS512", - "key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugd\nUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQs\nHUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5D\no2kQ+X5xK9cipRgEKwIDAQAB\n-----END PUBLIC KEY-----\n" -} +```yaml +kind: AuthConfig +version: v2 +definition: + mode: + jwt: + claimsConfig: + namespace: + claimsFormat: Json + location: /claims.jwt.hasura.io + tokenLocation: + type: BearerAuthorization + key: + fixed: + algorithm: RS512 + key: + value: '-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugd\nUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQs\nHUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5D\no2kQ+X5xK9cipRgEKwIDAQAB\n-----END PUBLIC KEY-----\n' ``` **Example 2**: public key as X509 certificate: -```json -{ - "type": "RS512", - "key": "-----BEGIN CERTIFICATE-----\nMIIDHDCCAgSgAwIBAgIINw9gva8BPPIwDQYJKoZIhvcNAQEFBQAwMTEvMC0GA1UE\nAxMmc2VjdXJldG9rZW4uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wHhcNMTgQt7dIsMTIU9k1SUrFviZOGnmHWtIAw\nmtYBcM9I0f9/ka45JIRp5Y1NKpAMFSShs7Wv0m1JS1kXQHdJsPSmjmDKcwnBe3R/\nTU3foRRywR/3AJRM15FNjTqvUm7TeaW16LkkRoECAwEAAaM4MDYwDAYDVR0TAQH/\nBAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwDQYJ\nKoZIhvcNAQEFBQADggEBADfY2DEmc2gb8/pqMNWHYq/nTYfJPpK4VA9A0lFTNeoq\nzmnbGwhKj24X+Nw8trsvkrKxHvCI1alDgBaCyzjGGvgOrh8X0wLtymp1yj6PWwee\nR2ZPdUaB62TCzO0iRv7W6o39ey+mU/FyYRtxF0ecxG2a0KNsIyFkciXUAeC5UVDo\nBNp678/SDDx9Ltuxc6h56a/hpBGf9Yzhr0RvYy3DmjBs6eopiGFmjnOKNxQrZ5t2\n339JWR+yiGEAtoHqk/fINMf1An6Rung1xYowrm4guhCIVi5unAvQ89fq0I6mzPg6\nLhTpeP0o+mVYrBmtYVpDpv0e71cfYowSJCCkod/9YbY=\n-----END CERTIFICATE-----" -} +```yaml +kind: AuthConfig +version: v2 +definition: + mode: + jwt: + claimsConfig: + namespace: + claimsFormat: Json + location: /claims.jwt.hasura.io + tokenLocation: + type: BearerAuthorization + key: + fixed: + algorithm: RS512 + key: + value: '-----BEGIN CERTIFICATE-----\nMIIDHDCCAgSgAwIBAgIINw9gva8BPPIwDQYJKoZIhvcNAQEFBQAwMTEvMC0GA1UE\nAxMmc2VjdXJldG9rZW4uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wHhcNMTgQt7dIsMTIU9k1SUrFviZOGnmHWtIAw\nmtYBcM9I0f9/ka45JIRp5Y1NKpAMFSShs7Wv0m1JS1kXQHdJsPSmjmDKcwnBe3R/\nTU3foRRywR/3AJRM15FNjTqvUm7TeaW16LkkRoECAwEAAaM4MDYwDAYDVR0TAQH/\nBAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwDQYJ\nKoZIhvcNAQEFBQADggEBADfY2DEmc2gb8/pqMNWHYq/nTYfJPpK4VA9A0lFTNeoq\nzmnbGwhKj24X+Nw8trsvkrKxHvCI1alDgBaCyzjGGvgOrh8X0wLtymp1yj6PWwee\nR2ZPdUaB62TCzO0iRv7W6o39ey+mU/FyYRtxF0ecxG2a0KNsIyFkciXUAeC5UVDo\nBNp678/SDDx9Ltuxc6h56a/hpBGf9Yzhr0RvYy3DmjBs6eopiGFmjnOKNxQrZ5t2\n339JWR+yiGEAtoHqk/fINMf1An6Rung1xYowrm4guhCIVi5unAvQ89fq0I6mzPg6\nLhTpeP0o+mVYrBmtYVpDpv0e71cfYowSJCCkod/9YbY=\n-----END CERTIFICATE-----' ``` **Example 3**: public key published as JWKs: -```json -{ - "jwk_url": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com" -} +```yaml +kind: AuthConfig +version: v2 +definition: + mode: + jwt: + claimsConfig: + namespace: + claimsFormat: Json + location: /claims.jwt.hasura.io + tokenLocation: + type: BearerAuthorization + key: + jwkFromUrl: https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com ``` #### EdDSA based @@ -498,20 +567,44 @@ the public key. **Example 1**: public key in PEM format (not OpenSSH format): -```json -{ - "type": "Ed25519", - "key": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAG9I+toAAJicilbPt36tiC4wi7E1Dp9rMmfnwdKyVXi0=\n-----END PUBLIC KEY-----" -} +```yaml +kind: AuthConfig +version: v2 +definition: + mode: + jwt: + claimsConfig: + namespace: + claimsFormat: Json + location: /claims.jwt.hasura.io + tokenLocation: + type: BearerAuthorization + key: + fixed: + algorithm: Ed25519 + key: + value: '-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAG9I+toAAJicilbPt36tiC4wi7E1Dp9rMmfnwdKyVXi0=\n-----END PUBLIC KEY-----' ``` **Example 2**: public key as X509 certificate: -```json -{ - "type": "Ed25519", - "key": "-----BEGIN CERTIFICATE REQUEST-----\nMIIBAzCBtgIBADAnMQswCQYDVQQGEwJERTEYMBYGA1UEAwwPd3d3LmV4YW1wbGUu\nY29tMCowBQYDK2VwAyEA/9DV/InajW02Q0tC/tyr9mCSbSnNP1txICXVJrTGKDSg\nXDBaBgkqhkiG9w0BCQ4xTTBLMAsGA1UdDwQEAwIEMDATBgNVHSUEDDAKBggrBgEF\nBQcDATAnBgNVHREEIDAegg93d3cuZXhhbXBsZS5jb22CC2V4YW1wbGUuY29tMAUG\nAytlcANBAKbTqnTyPcf4ZkVuq2tC108pBGY19VgyoI+PP2wD2KaRz4QAO7Bjd+7S\nljyJoN83UDdtdtgb7aFgb611gx9W4go=\n-----END CERTIFICATE REQUEST-----" -} +```yaml +kind: AuthConfig +version: v2 +definition: + mode: + jwt: + claimsConfig: + namespace: + claimsFormat: Json + location: /claims.jwt.hasura.io + tokenLocation: + type: BearerAuthorization + key: + fixed: + algorithm: Ed25519 + key: + value: '-----BEGIN CERTIFICATE REQUEST-----\nMIIBAzCBtgIBADAnMQswCQYDVQQGEwJERTEYMBYGA1UEAwwPd3d3LmV4YW1wbGUu\nY29tMCowBQYDK2VwAyEA/9DV/InajW02Q0tC/tyr9mCSbSnNP1txICXVJrTGKDSg\nXDBaBgkqhkiG9w0BCQ4xTTBLMAsGA1UdDwQEAwIEMDATBgNVHSUEDDAKBggrBgEF\nBQcDATAnBgNVHREEIDAegg93d3cuZXhhbXBsZS5jb22CC2V4YW1wbGUuY29tMAUG\nAytlcANBAKbTqnTyPcf4ZkVuq2tC108pBGY19VgyoI+PP2wD2KaRz4QAO7Bjd+7S\nljyJoN83UDdtdtgb7aFgb611gx9W4go=\n-----END CERTIFICATE REQUEST-----' ``` #### EC based @@ -521,28 +614,63 @@ needs to have the public key. **Example 1**: public key in PEM format (not OpenSSH format): -```json -{ - "type": "ES256", - "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEVs/o5+uQbTjL3chynL4wXgUg2R9\nq9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==\n-----END PUBLIC KEY-----" -} +```yaml +kind: AuthConfig +version: v2 +definition: + mode: + jwt: + claimsConfig: + namespace: + claimsFormat: Json + location: /claims.jwt.hasura.io + tokenLocation: + type: BearerAuthorization + key: + fixed: + algorithm: ES256 + key: + value: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEVs/o5+uQbTjL3chynL4wXgUg2R9\nq9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==\n-----END PUBLIC KEY-----' ``` **Example 2**: public key as X509 certificate: -```json -{ - "type": "ES256", - "key": "-----BEGIN CERTIFICATE-----\nMIIBbjCCARWgAwIBAgIUGn02F6Y6s88dDGmIfwiNxWxDjhswCgYIKoZIzj0EAwIw\nDTELMAkGA1UEBhMCSU4wHhcNMjMwNTI0MTAzNTI4WhcNMjgwNTIyMTAzNTI4WjAN\nMQswCQYDVQQGEwJJTjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBFbP6OfrkG0\n4y93Icpy+MF4FINkfavVFPCOZhKL1H/OkGe5DgSIycKp8w9aJmoHhB1sB3QTugfn\nRWm5nU/TzsajUzBRMB0GA1UdDgQWBBSaqFjzps1qG+x2DPISjaXTWsTOdDAfBgNV\nHSMEGDAWgBSaqFjzps1qG+x2DPISjaXTWsTOdDAPBgNVHRMBAf8EBTADAQH/MAoG\nCCqGSM49BAMCA0cAMEQCIBDHHWa/uLAVdGFEk82auTmw995+MsRwv52VXLw2Z+ji\nAiAXzOWIcGN8p25uhUN/7v9gEcADGIS4yUiv8gsn/Jk2ow==\n-----END CERTIFICATE-----" -} + +```yaml +kind: AuthConfig +version: v2 +definition: + mode: + jwt: + claimsConfig: + namespace: + claimsFormat: Json + location: /claims.jwt.hasura.io + tokenLocation: + type: BearerAuthorization + key: + fixed: + algorithm: ES256 + key: + value: '"-----BEGIN CERTIFICATE-----\nMIIBbjCCARWgAwIBAgIUGn02F6Y6s88dDGmIfwiNxWxDjhswCgYIKoZIzj0EAwIw\nDTELMAkGA1UEBhMCSU4wHhcNMjMwNTI0MTAzNTI4WhcNMjgwNTIyMTAzNTI4WjAN\nMQswCQYDVQQGEwJJTjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBFbP6OfrkG0\n4y93Icpy+MF4FINkfavVFPCOZhKL1H/OkGe5DgSIycKp8w9aJmoHhB1sB3QTugfn\nRWm5nU/TzsajUzBRMB0GA1UdDgQWBBSaqFjzps1qG+x2DPISjaXTWsTOdDAfBgNV\nHSMEGDAWgBSaqFjzps1qG+x2DPISjaXTWsTOdDAPBgNVHRMBAf8EBTADAQH/MAoG\nCCqGSM49BAMCA0cAMEQCIBDHHWa/uLAVdGFEk82auTmw995+MsRwv52VXLw2Z+ji\nAiAXzOWIcGN8p25uhUN/7v9gEcADGIS4yUiv8gsn/Jk2ow==\n-----END CERTIFICATE-----' ``` **Example 3**: public key published as JWKs: -```json -{ - "jwk_url": "https://www.gstatic.com/iap/verify/public_key-jwk" -} +```yaml +kind: AuthConfig +version: v2 +definition: + mode: + jwt: + claimsConfig: + namespace: + claimsFormat: Json + location: /claims.jwt.hasura.io + tokenLocation: + type: BearerAuthorization + key: + jwkFromUrl: https://www.gstatic.com/iap/verify/public_key-jwk ``` ## Security considerations