RxDBDotNet is a .NET library that implements the RxDB replication protocol, enabling real-time data synchronization between RxDB clients and .NET servers using GraphQL and Hot Chocolate. It extends the standard RxDB replication protocol with .NET-specific enhancements.
MIT License
4
stars
0
forks
source link
Add support for OIDC-configured JWT authentication in GraphQL subscriptions #74
Our GraphQL subscription authentication doesn't support OpenID Connect (OIDC) configuration for JWT validation. This limits the flexibility for users who rely on OIDC providers for authentication, especially in scenarios where signing keys may be rotated or fetched dynamically.
Proposed Solution
Implement support for OIDC configuration in our WebSocketJwtAuthInterceptor. This should allow for dynamic retrieval and use of JWT validation parameters, including signing keys, from an OIDC discovery endpoint.
Implementation Details
Update WebSocketJwtAuthInterceptor to check for and use OIDC configuration when available.
If OIDC configuration is present, retrieve signing keys dynamically before token validation.
Ensure this process is efficient and doesn't introduce significant latency in the authentication process.
Update documentation to reflect this new capability.
Testing
Add integration tests that verify subscription authentication works with OIDC-configured JWT.
Test scenarios should include successful authentication and event reception with dynamically configured keys.
User Impact
This enhancement will allow users to integrate our library more easily with OIDC-compliant identity providers, improving flexibility and security in authentication setups.
Acceptance Criteria
[x] WebSocketJwtAuthInterceptor successfully uses OIDC configuration for JWT validation when available.
[x] Authentication flow works seamlessly with dynamically retrieved signing keys.
[x] New integration tests added and passing.
[x] Documentation updated to explain OIDC support in subscription authentication.
[x] No regression in existing authentication scenarios.
Additional Notes
This change should be backwards compatible with existing setups that don't use OIDC configuration.
linear[bot]
commented
1 month ago
Description
Our GraphQL subscription authentication doesn't support OpenID Connect (OIDC) configuration for JWT validation. This limits the flexibility for users who rely on OIDC providers for authentication, especially in scenarios where signing keys may be rotated or fetched dynamically.
Proposed Solution
Implement support for OIDC configuration in our WebSocketJwtAuthInterceptor. This should allow for dynamic retrieval and use of JWT validation parameters, including signing keys, from an OIDC discovery endpoint.
Implementation Details
Testing
User Impact
This enhancement will allow users to integrate our library more easily with OIDC-compliant identity providers, improving flexibility and security in authentication setups.
Acceptance Criteria
Additional Notes
This change should be backwards compatible with existing setups that don't use OIDC configuration.