JWT authentication

Moved from GitHub dgraph/5173

Posted by emregency:

Experience Report

Note: Feature requests are judged based on user experience and modeled on Go Experience Reports. These reports should focus on the problems: they should not focus on and need not propose solutions.

What you wanted to do

I wanted to evaluate the Enterpise License to know if I can authenticate users using JWT tokens issued by an IAM provider.

What you actually did

I went to check the documentation to see if this was possible. I discovered that dGraph was actually also acting as an IAM service, partially.

The secret key is used by Alpha servers to sign JSON Web Tokens (JWT). As you’ve probably guessed, it’s critical to keep the secret key as a secret. Another requirement for the secret key is that it must have at least 256-bits, i.e. 32 ASCII characters, as we are using HMAC-SHA256 as the signing algorithm.

Why that wasn’t great, with examples

It wasn’t great because, if I think of a dB, I think of it as a data service in my application in harmony with the other services. As users need to consume different services within the context of an application, I was considering to implement defense-in-depth using the enterprise edition of dGraph service. I was considering if dGraph can authenticate a user through a JWT, then apply ACL based on that.

Example scenario:
1- User identifies through a UI with PKCE to an IAM service
2- IAM service authenticates the User and returns a JWT
3- UI sends a request to the API Gateway with the Bearer authorization header
4- API Gateway validates the JWT and authorizes the user for services or operations
5- API Gateway relays the request to the relevant service with the User JWT
6- Every service checks again ACL based on User JWT

Graph ACL #5167 + User JWT = defense-in-depth, unified accountability across services, reduced attack surface for lateral movement and information disclosure.

Any external references to support your case

Mongo dB Atlas Custom JWT

gja commented :

Hi @emregency,

Thank you for the experience report. I wanted to ask a few questions to clarify exactly what you are looking for.

We currently have two types of authentication / authorization in our system

  • ACLs - This allows you to set up rules for which users can access which data. However, the granularity of these rules is at the predicate level, and not at the individual records. As you’ve mentioned, this does work based on JWT. https://dgraph.io/docs/enterprise-features/#access-control-lists
  • JWT Authorization for GraphQL - This is currently in beta, and will be available in 20.07. The JWT Authorization will allow you to set up Dgraph with an external public key for JWT signatures, then make arbitrary claims on the data that is queried / created by the GraphQL endpoint. More details here: GraphQL Authorisation

Does the JWT Authorization for GraphQL solve your use case? If you are looking for ACL, but have the IAM provider be a 3rd party, then would you be able to generate a JWT token in dgraph’s format, or do you think that dgraph should also support custom JWT? Finally, which client are you using (dgo / dgraph4j / etc…, or the Rest/GRPC endpoints directly)