I am wondering if I can get an @auth query to use a variable that isn’t decoded from a JWT rather just directly from a request header key value pair?
In context I have a web assembly SPA app (running completely in the browser) which is using a third party for authentication from which I get some context on the user back such as a unique key, email, profile information etc…
The whole solution is running on SSL so I am hoping not to have to run up an api server just to generate a JWT to pass variables into the slashgraph auth model for it to be decoded again - I would prefer just to add the variables to the http header.
I mocked the auth rule with a string for the email and verified in principle it works
The authorization directive expects to get the information from JWT. It won’t work if the EMAIL is passed using HTTP headers.
Even this rule will expect the EMAIL variable to be provided using JWT.
If you are okay with passing email (without any auth mechanism) through HTTP headers, you may also consider adding filters (instead of using auth) to the query. This can ensure that information for the user with specified email is fetched.
Although, the big drawback is that this is not secure, It will mean that anyone with an email of a user can use filter query to fetch the user’s information.
I have now managed to aquire JWT tokens from my auth provider OKTA and have now come across another stumbling block… All of the claims seem to be in the root of the payload as opposed to within a namespace.
Cheers @verneleem just realised from your profile you weren’t one of the core team! thanks have commented in the post you shared. Really appreciate you noticing this.