Is it possible to combine Firebase Auth and Slash GraphQL?
Firebase Auth should handle the authentication of users and Slash GraphQL the actual authorization.
Or is is better to use GCP Identify Platform and stay clear of Firebase?
Yeah, it is possible to have authentication with firebase with Slash GraphQL. You just need to provide the JWKURL and set Audience
to your firebase projectId
in the Authorization Header
in your GraphQL Schema
. For more context, refer to these docs. We will soon be releasing the sample example and a tutorial to help you integrate firebase auth with your app and slash GraphQL backend.
@minhaj Thanks for the reply!
Could you just explain how to get a working example? New to JWT and not sure what needs to be in the schema file.
The following does not work, “Audience” and “Header” is missing.
# Dgraph.Authorization { "JWKURL": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com", "Namespace": "**projectId**" }
Also, do I need to send the JWT in each request?
Thanks again!
Sorry for the incorrect information in my earlier comment (I have edited it). You need to pass your projectID in the Audience
field.
Now in the Header field, you need to give the name of header which will contain the jwt
token when you will send your GraphQL request.
And if your JWT also contains some custom claims then set the Namespace
of the custom claims. And if the JWT
don’t have any custom claims then just set Namespace
to any random string.
And lastly yes! you need to send JWT in each request.
Got an error after deploying the schema file. “Failed to connect to backend. Please reload the schema or contact us if the issue persists.”
** types **
# Dgraph.Authorization { "JWKURL": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com", "Audience": "** projectId **", "Header": "Authorization" }
I cannot access the schema at all now.
Thanks for the ongoing help!
Can you please be more specific about the error and the steps for reproducing it?
Not sure what I did more than just deploying the schema and heading to the API Explorer to see that no schema is available. The schema that got deployed looked like this (with the actual projectId).
type User {
name: String @search(by:[exact,fulltext])
}
# Dgraph.Authorization { "JWKURL": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com", "Audience": "** projectId **", "Header": "Authorization" }
Can you paste the response?
Can you try updating schema once more after adding Namespace
to the Authorization
Header?
Created a new backend and deployed this exact schema (with namespace).
The deployment was successful but after a page refresh was the schema unavailable again.
type User {
name: String @search(by:[exact,fulltext])
}
# Dgraph.Authorization { "JWKURL": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com", "Audience": "** projectId **", "Header": "Authorization", "Namespace": "test" }
@minhaj found what was causing this.
The space between #
and Dgraph.Authorization
needed to be removed.
@minhaj we should fix this behavior and even if there is a space after #
we should still be able to read the Dgraph.Authorization
header. Accepting this as an issue to be fixed.
Hey @Isak, the exact format of Authorization
header in the schema is that it there should be space between #
and Dgraph.Authorization
and hence it should be # Dgraph.Authorization
. If there is no space between them, Dgraph won’t recognize it as a valid Authorization
Header and don’t even try to parse it. That is why you are not facing any error which you faced earlier.
@minhaj thanks for the clarification! So this is a bug and the feature can not be used at the moment?
No, there is no known bug yet. Please go ahead in using it, but try to include space between #
and Dgraph.Authorization
.
Sorry but I can’t get this to work.
@minhaj can you please provide a working schema that I can try with my own values?
Actually, got it working now I think. At least able to deploy the schema without crashing it.
Hey @Isak, the given schema should work.
type Task @withSubscription @auth(
query: { rule: """
query($USER: String!) {
queryTask {
user(filter: { username: { eq: $USER } }) {
username
}
}
}"""}), {
id: ID!
title: String! @search(by: [fulltext])
completed: Boolean! @search
user: User!
}
type User @withSubscription {
username: String! @id @search(by: [hash])
name: String
tasks: [Task] @hasInverse(field: user)
}
# Dgraph.Authorization {"Header":"X-Firebase-Token","Namespace":"https://dgraph.io/jwt/claims","JWKURL":"https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com","Audience":["your-project-id"]}
Apart from this, can you tell us more about the error which you are facing?
The error is related to the formatting of the header. For example if there is a space or not as discussed earlier. I can’t give exact details because of the amount of different schemas I tried. But I’m t has to do with the formatting and parsing for sure.
Hi, I have successfully authenticated against firebase via an authorization string in the schema as above. It works great. If I pass no/invalid token or an expired token my frontend request is rejected.
However when I have anonymous access allowed and completely exclude my firebase token key:value from the request header the backend returns the request!.
If I define authentication like this in my schema, to ensure a request is coming from an authenticated user, then completely omit token key value pair from the header (i.e. act like a completely unauthenticated user) shouldn’t the request be rejected?