Authorizing Subscriptions With JWT #49
Comments
|
@joemcbride any ideas here? :) |
|
same issue |
|
I ended up switching away from the built in provider and rolled my own in order to work with Subscriptions and Queries / Mutations |
|
It's not directly supported from what I've seen - from previous dicussions on the topic, auth is expected to more/less be your own custom coding. Ideally you're running this under a WebAPI controller - so JWT should already be negotiated to the context. For usage you'd do like: |
|
Also keep in mind, "UserContext" can be anything you want. |
|
@jonmill Is this issue still actual for you? |
sungam3r
added
the
needs confirmation
|
@sungam3r it would be nice if there was a way that this was built-in, instead of having to roll-your-own auth...but no, I have moved on from this issue and done auth myself |
sungam3r
removed
the
needs confirmation
|
I was able to setup Subscription auth using built in elements alone. If you are interested @jonmill I can give you my method. |
|
Sure. The main issue I ran into with authorization and graphql-dotnet is the inconsistent handling of the user context. In graphql-dotnet proper, we are told to implement a I know this preamble was long but bear with me because it explains this next part: I'm not using the The final step here is how to actually handle the token during a websocket request. Obviously we cannot pass it through the headers as browsers do not allow header values beyond web socket protocol. In my case, I'm sending the access token as a query param and then using a message event handler in my JWT config to set the token during a websocket request. Here's startup psuedocode that should work for you. public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = "some authority";
options.Audience = "some audience";
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = ClaimTypes.NameIdentifier
};
options.Events = new JwtBearerEvents
{
OnMessageReceived = context =>
{
if (context.Request.Query.TryGetValue("access_token", out StringValues queryToken) &&
context.Request.Headers.ContainsKey("Sec-WebSocket-Protocol"))
{
context.Token = queryToken.Single();
}
return Task.CompletedTask;
}
};
});
// Add schema types...
services.AddGraphQL()
.AddGraphQLAuthorization()
.AddWebSockets();
}
public void Configure(IApplicationBuilder builder)
{
builder.UseAuthentication();
builder.UseWebsockets();
builder.UseGraphQLWebsockets<Schema>();
builder.UseGraphQL<Schema>();
}I can probably put together a sample repo a little later on. |
Hi,
I have some authorizations setup to handle Queries and Mutations like so (simplified)
Now I'm attempting to add Subscriptions, but it looks like the Authorizations are not working. There didn't seem to be any built-in support for authorizing Subscriptions with JWTs, so I used this class for guidance. I can successfully retrieve the token from the connection, validate it, and add it to the HTTP context in an IOperationMessageListener::BeforeHandleAsync
But the subscription endpoint still says that I'm unauthorized when I use
AuthorizeWith. Is this a bug or how can I authorize Subscriptions using JWTs? Any guidance would be much appreciatedThe text was updated successfully, but these errors were encountered: