Authentication endpoint to generate JWT tokens #40
Comments
|
We are still working out the best way to create tokens in PostGraphQL, if you have any ideas, we would love to here them! 😊 For now it's recommended to create a single HTTP endpoint where you can (temporarily) manually create tokens. We'll probably have a solution soonish with the implemention of procedure execution, so stay tuned! (see my notes on #31) |
|
This is an awesome project. Discovered it today and we already have a working example for implementation. Is it possible to implement something like PostgREST JWT tokens - http://postgrest.com/admin/security/ |
|
@rahult Authentication currently works very similar to PostgREST (actually hoping they will rename where they mount claims to be compliant with this spec so we can be compatible in that regard). I will also probably do authentication that way, it really seems like the best idea. That is blocked by the implementation of procedures though so stay tuned! I'm going to leave this open until we have an authentication implementation. |
|
Thanks @calebmer! For what its worth, I do like that I can create my own authentication service to create JWT tokens for any special needs or authentication systems I might have, so it would be good to continue to be able to do that even once authentication is built in. It would just be nice to have the option of a built in authentication as well. So hopefully you can architect it to keep both options available. Good luck getting the stored proc stuff sorted! |
|
Thanks! Yeah, opt in authentication is super important for us 😊 |
|
Now that procedure support has been released, chances are there will be an authentication point done any time soon as well? |
|
@meglio I’m going to look into adding this over the weekend. |
|
This is awesome! Are you going to also handle replay attacks in any way? |
|
@meglio no, not in what I imagine for authentication. However, that doesn’t mean you can’t implement it on the PostgreSQL side 😉 What I imagine is we allow users to define tables, and/or custom types as tokens and then they could specify that type by the command line. So something like create type my_schema.my_token as (…);
-- or
create table my_schema.my_token (…);If a table is specified we could bypass JWTs altogether and just return the primary key for the table. PostGraphQL could then also potentially define a function, However, it looks like this feature requires more deep and fundamental changes in order to get right. It has also come to my attention that the library needs a good cleanup anyway. So it’s going to take a little longer to develop this feature than the weekend I initially anticipated. I think my time frame is around 2–3 weeks, we’ll see. In the meantime, PostGraphQL already allows for authorization with whatever technique you devise, you’ll just need to put the authentication logic in you’re own microservice. Authentication will be coming to PostGraphQL though. Hopefully sooner rather than later 😉 |
|
May you please elaborate on this:
What would be the structure of such a table? Probably table user_session( userid bigint, session_token text) - is that what you mean? Also, not sure what you mean with "bypass JWTs altogether". |
|
@meglio take the following example: You have a user session table like so: create table user_session (
id serial primary key,
user_id int references user(id)
);…and on the command line interface you point to the table like so: …and you had an authentication function like this: create function authenticate() returns user_session …Instead of creating a JWT, we could just return the primary key of the Does that make sense? |
|
Yep, thanks for making your explanation more material :) So, I'd have to create an Next, client side I get the result and store it somewhere (local storage, cookies, ..). In the network layer on my client I read the token and, if present, add an Have I understood it correctly? Also, where in this chain does SET LOCAL ROLE $R reside? - at which moment and from where will Postgresql fetch the $R and call the SET ROLE sql command? |
|
After reading this article, I wonder why should JWT be used for sessions at all, and what other solutions are avialable to set roles for authorized users in GraphQL based on sessions. |
|
Yep you got it 😉 One small nit-pick though, the header would be We would get the role from the table similar to how we get the role from the JWT. Imagine a table with a create table user_session (
id serial primary key,
user_id int references user(id),
role text
);We might even just detect references to the As for JWTs, they are an interesting beast. Used incorrectly they can be a very dangerous session management system, but used correctly they have some pretty great advantages. Number one being we don’t need to query a database to validate our token. In many large systems setting up a Redis instance to store sessions may be efficient, but for most usecases it’s much easier to have a stateless JWT with a quick expire time. I usually put an expiration of 10–30 minutes on my JWTs and also issue a refresh token with them. Then we get the best of both worlds. A JWT to make fast requests, and a refresh token that we can invalidate in the database. I recognize the article author’s concerns (concerns I’ve had when building JWT systems in the past), but I don’t agree with the conclusions. I like JWTs for session management (when used wisely!), but this proposal would allow for either a JWT or a more managed solution. |
|
Provided I can see Does it mean I'll have to create my own nodejs project, import What I would like to try is basically a classical cookies-based authentication system, yet it should call SET ROLE for me - otherwise it's not clear how to use Postgraphql in a web project as is without making my own endpoint if not going with JWT. What I have in mind is something like this:
Does it make any sense? P.S. Returning just a cookie name from A more generalized way would be |
|
The flow would look more like this: mutation Authenticate {
authenticate(name: "admin", password: "password") {
token
}
}Where then |
|
If anyone has a working authentication example, I would love to see it added to the documentation. Very interesting thread btw. |
|
Yep, that's what I mean, but just wanted to let it not be limited to JWT only. |
|
If I understood correctly from the last news, you have postponed authentication till the new architecture is implemented, as described in the recent My vision for the future of PostGraphQL thread. Please confirm. |
|
@meglio correct. This is a feature that’s very high on my priority list, but I want to get it right. I also want to remind that authentication can still be done outside of PostGraphQL today. It’s fairly simple to setup a Node.js server to manage authentication and use that token with PostGraphQL’s authorization features. If you want, it would also be fairly simple to hook into the generated mutation type allowing you to add your own mutation field. |
|
Is this included endpoint still needed ? I'm planning to use https://github.com/michelp/pgjwt to sign a jwt token using postgres and postgraphql only for ease of use (no external auth server) and it would be relevant to match the final API. |
|
@prevostc that’s pretty awesome, I did not know about that. I still want to support JWT generation in PostGraphQL for people who want it though, but that solves a lot of problems 😊 Here’s my thoughts on API, you pass into PostGraphQL So for SQL that looks like: create type my_token as (
user_id uuid
);
create function authenticate (name text, password text) returns my_token …;In PostGraphQL you’ll get a GraphQL schema that looks (roughly) like: scalar JWT
type Mutation {
authenticate(input: AuthenticateInput!): AuthenticatePayload!
}
type AuthenticateInput {
name: String!
password: String!
}
type AuthenticatePayload {
myToken: JWT
}Where PostGraphQL might add an Hope that helps @prevostc 😊 |
|
@calebmer that look nice to me! I would like to start working on this and submit a WIP asap. Any idea on how an external oauth identity provider would fit this model ? (google/facebook/github/...) |
|
Authentication will be in PostGraphQL 2 which is almost done (you can track the development in the I’m not 100% sure how Google/Facebook/GitHub etc. auth would fit well into this model. You’d probably want a GraphQL mutation something to the effects of |
|
PostGraphQL 2 beta has been released which has an authentication implementation (#145). Install the beta today and tell me what you think. I’ll be writing a documentation article on how to use the authentication feature and updating the example schema before the full release 👍 (make sure you have a Postgres server listening on |
|
With authentication built-in, this is getting closer to a fully featured out-of-the-box no-server-code applications. Where can we read about v2 new features and changes? |
|
I’m going to close this as its in the PostGraphQL 2.0 beta 🎉 Start playing with the pre-release, the final release should be out really soon. Tell me what you think! 👍 |
|
If you’d like to read up on how authentication works in PostGraphQL 2, there is a detailed documentation tutorial going over the entire process. The documentation article: https://github.com/calebmer/postgraphql/blob/787bbe4ee842e0d931989df88acbdb3a88e1c380/examples/forum/tutorial.md |
|
@calebmer Been following your documentation and everything worked really well. Great documentation, thanks for the huge effort that must have gone into it |
* Add totalCount query * Declare when cursor is used * Only query cursor when required * Only select fields when necessary * Upgrade flow and pg-sql2 * Less opaqueness * Fix flow issues
Great project!
I am having trouble working out where I generate the JWT token. Your docs provide a really good description of how you can see the details of a passed in token, so I assume that you are meant to create a JWT token in another service and just have the same secret as you have in postgraphql. Is this correct?
If so, is it possible to add an endpoint to postgraphql to allow users to authenticate with a postgresql login role and password and have postgraphql generate and return a JWT token for use with graphql queries?
Thanks.
The text was updated successfully, but these errors were encountered: