Auth on Schema, invalid "Alg"

A simple User schema which expects a sub claim inside the token payload can be this one:

type User @auth(
    query: {
        rule: """
            query ($sub: String!){
                queryUser(filter: {id: {eq: $sub}}){
                    id
                    email
                    name
                    gender
                    birthdate
                }
            }
        """
    }
){
    id: String! @search(by: [hash]) @id
    email: String! @search(by: [fulltext])
    gender: String!
    age: String!
    name: String!
}

Using an external authority for user authentification, we may provide the following comment on the end of the <schema>.graphql file, including the JWTURL:

# Dgraph.Authorization {"VerificationKey":"", "Header":"Authorization", "JWTURL":"<External_auth_URL>", "Namespace":"", "Algo":"", "Audience":[<client_ID>, <application_ID>]}

By sending

curl -X POST localhost:8080/admin/schema --data-binary '@<schema>.graphql'

But, the response is:

{"errors":[{"message":"resolving updateGQLSchema failed because invalid jwt algorithm: found \"JWTURL\":\"<External_auth_URL>\",, but supported options are: S384,RS512,HS256,HS384,HS512,RS256 (Locations: [{Line: 3, Column: 4}])","extensions":{"code":"Error"}}]}

Am I parsing the Dgraph.Authorization wrong? I’m just following the documentation on: https://dgraph.io/docs/graphql/authorization/authorization-overview/

Did you replace “<External_auth_URL>” with an actual URL that validates this? It seems like the URL is your problem.

J

Yes, I did that. As far as I know, the URL is good, it is from AWS Cognito itself, which can be obtained by going to: https://cognito-idp.<zone>.amazonaws.com/<client_id>/.well-known/jwks.json.

In that “jwks.json” file, is there:

{
  "alg": "HS256",
}

with one of the options [S384,RS512,HS256,HS384,HS512,RS256] ?

J

yes, it is the option RS256.

Get rid of the “Algo” key in your schema and see what happens. Also, are you using 21.03?

J

Sorry, when I made a issue earlier, there was a template for the version and specs, but it din’t show this time.

I’m using version 21.03, system Fedora 33, and good hardware.

When I remove the Algo key, the error persists. Using:

# Dgraph.Authorization {"VerificationKey":"", "Header":"Authorization", "JWTURL":"https://cognito-idp.<zone>.amazonaws.com/<client_id>/.well-known/jwks.json", "Namespace":"", "Audience":[<client_ID>, <application_ID>]}
{"errors":[{"message":"resolving updateGQLSchema failed because invalid jwt algorithm: found \"JWTURL\":\"https://cognito-idp.<zone>.amazonaws.com/<client_id>/.well-known/jwks.json\",, but supported options are: RS384,RS512,HS256,HS384,HS512,RS256 (Locations: [{Line: 3, Column: 4}])","extensions":{"code":"Error"}}]}

Is it something wrong with the binary parse? Like, the json not being well formated?

Remove ‘VerificationKey’ and make ‘JWTURL’ TO ‘JWKURL’.

1 Like

Removing Algo and Verification key, and turning JWTURL to JWKURL, the error persists. Using:

# Dgraph.Authorization {"Header":"Authorization", "JWKURL":"https://cognito-idp.<zone>.amazonaws.com/<client_id>/.well-known/jwks.json", "Namespace":"", "Audience":[<client_ID>, <application_ID>]}
{"errors":[{"message":"resolving updateGQLSchema failed because invalid jwt algorithm: found \"JWKURL\":\"https://cognito-idp.sa-east-1.amazonaws.com/sa-east-1_xUd3VLsG3/.well-known/jwks.json\",, but supported options are: RS384,RS512,HS256,HS384,HS512,RS256 (Locations: [{Line: 3, Column: 4}])","extensions":{"code":"Error"}}]}

I’m triple checking to see if there’s some " or ' misleading, but the sintax is OK.

I think i’ve found the error. It was two:

First, I was using JWTURL when it should be JWKURL.
Second, inside the Audience Key, inside the list, all its members must be inside "". Which, was not.

Since the visual studio graphql extension highlight treats everything as a comment after # (because it is), it does a terrible job a debbuging it.

Thanks for all the help and patience.

1 Like