Accept RS256 tokens in the Auth0 integration as well

[marktani]

Right now, the Auth0 integration only works with HS256. However, auth0.js recently switched to RS256 tokens.

[shortjared]

I just realized this isn't the default. This is pretty critical because it reduces the need for me to trust graph.cool (or any third party) when handing over the secret. Making sure you can validate but not impersonate.

[fredelf]

As @shortjared says, this is pretty critical.

When will this feature be implemented?

Cheers

[marktani]

We're looking to add a more flexible authentication solution soon, that will allow you to attach an auth provider with custom behaviour to a type in your project. There is no specific ETA though.

[mattfysh]

auth0-js v8 requires RS256 tokens and will not work with tokens signed using the HS256 algorithm. I'm concerned that auth0-js v8 was first published in November of last year, and Graphcool still does not support it. At this stage, it looks like I'm required to downgrade to v7 which hasn't been updated since January.

Using outdated libraries when dealing with authentication and security is a critical concern, is there a ballpark ETA you're able to provide?

[marktani]

Perfect timing @mattfysh! We're rolling out a beta for this feature sometime today and I'm still looking for beta testers. Please reach out to me in Slack for more information 🙂

[marktani]

All beta spots for this feature are now filled; I'll post more information here as soon as available.

[marktani]

Big shoutout to @petrvlcek for contributing an example that allows authentication with RS256 tokens using Graphcool Schema Extentions.

As such, I'm closing this ticket. Further progress can be tracked in the feature requests for custom authentication and custom queries and mutations. If you're interested in contributing another example, please contact me in Slack 👍

[ernoaapa]

Please update your guide in here: https://www.graph.cool/docs/tutorials/react-apollo-auth0-pheiph4ooj/

Just lost 3h and finally figure out that I need to change in Auth0 settings: Clients -> Advanced Settings -> OAuth -> JsonWebToken Signature Algorithm: HS256

When creating user I got error The provided idToken is invalid even though I checked in jwt.io that it's valid.

[abachuk]

Thanks, @ernoaapa I only lost 1h. You saved me 2 hours 👍

[mattfysh]

I just looked into the example and it's not really what I thought it would be. It's more of a workaround, and it basically involves getting an auth token from auth0, validating it with a custom Graphcool schema extension, and then swapping it for an auth token that's compatible with the Graphcool authentication layer.

I was hoping for something where I could hook into the Graphcool authentication layer, and extend upon the HS256 Auth0 support that Graphcool already provides (to add support for RS256 tokens). I see that there is issue #88 (which appears not to have much activity), however I am stumped as to why the HS256 support can't be easily extended to support RS256? As it stands, the advertised auth0 integration comes with some pretty hefty fine print.

[marktani]

The current Auth0 integration offered in Graphcool conceptually does exactly the same as this example.

The difference is that with custom authentication (as mentioned in #88), you are in full control of the logic you want to implement, and use all kinds of different Auth0 features, such as RS256 token support and more. That's not the case using the fairly limited Auth0 integration, as you said.

[mattfysh]

@marktani - my understanding of the current Auth0 integration (and as I'm currently using it today), is that I am able to send an Auth0-issued token with each of my Graphcool requests, and each request is authenticated against Auth0.

This is a major difference from the example, as there is no exchanging of an Auth0-issued token, for a Graphcool-issued token. Hope that clears things up a bit, let me know if your understanding differs

[marktani]

Ah, now I understand the sitation.

You're right that this is not supported with Schema Extensions anymore. For now, it will stay this way and I recommend everyone who wants to use RS256 tokens in Auth0 to use Schema Extensions instead. At some point, we're planning to again build a more integrated solution for services like Auth0, but there's no clear timeline yet. Please join the discussion in the forum about this matter 🙂

Thanks a lot for your feedback!

[kbrandwijk]

@mattfysh I am researching another approach, which is configuring Graphcool as custom social provider in Auth0. That way, when you authenticate with Auth0, the Graphcool token becomes part of the Auth0 token automatically. That way, you can directly use the Graphcool token from the Auth0 token for all requests to Graphcool from your client, without needing any other manual steps to 'exchange' tokens.

[fredelf]

@kbrandwijk Sounds interesting! Keep us posted on your progress :-)

[mattfysh]

@kbrandwijk - sounds interesting... do you know if it would work with users who have signed up to auth0 using existing social connections e.g. facebook, linkedin

[petrvlcek]

@kbrandwijk I wonder if this is reasonable strategy. I guess that the main problem is that Graphcool still can authorize operations only with HS256 tokens. Hence the you have to exchange RS256 token issued by Auth0 for Graphcool HS256 token in order to use it in subsequent requests.

In your strategy the token issued by Auth0 would still have to be less safe HS256 token in order for it to work with Graphcool. So unless Graphcool fully supports RS256 it does not matter how do you get Graphcool token, be it from schema extension or from custom Auth0 social provider. Am I right?

[dlobue]

@marktani until you guys have something more permanent in place for the integrated solutions, can you guys please update your documentation and tutorials for auth0 to specify that HS256 is required? I literally spent all night trying to get auth0 to work last night.

[wesbos]

This should be on the Graphcool Auth0 config screen - just wasted 2 hours on this :(

[rammoozz]

I too am having the same issue...

GraphQL error: The provided idToken is invalid. My JsonWebToken Signature Algorithm - HS256 idToken is coming back undefined from window.localstorage (CreateUser 70). I am using this example - https://github.com/graphcool-examples/react-graphql/tree/master/authentication-with-auth0-and-apollo

[kbrandwijk]

@rkhayat Did you read and try the suggested solutions, which are specifying HS256 and disabling OIDC compliance, both in the Auth0 settings dashboard?

[rammoozz]

@kbrandwijk Thanks for the quick reply.

• auth0 settings => advanced => oAuth => JsonWebToken Signature Algorithm => HS256
• disable OIDC (toggle)
• Grant Types => Implicit / Password

Oh WOW! It looks like It was an Id10t Error ;) I was using a fake email (thus no token came back) Thanks for the help, sorry to waste your time!!

[mattfysh]

Is there any way this ticket can be re-opened? I still believe that if auth0 integration is to be touted on the features page (https://www.graph.cool/features/#integrations) it should be an all or nothing affair.

RS256 is the most secure and recommended JWT signing algorithm, it's unfair to ask for our app security to be downgraded in order to enable the advertised integration. (For context, comment from auth0 on RS256 security features - https://github.com/auth0/auth0.js/issues/303#issuecomment-271873409)

I know there are workarounds involving Schema Extensions, but these do not function with the simplicity and minimal-configuration approach that is available when using the less secure signing algorithm.

Considering the current state of support in graphcool CLI, we are trying our best to minimize the amount of work that needs to be done by hand / copy & pasted in the graphcool console - this type of work is prone to human error, and in an ideal scenario, should never be done when promoting changes into production.

[marktani]

Schema extensions don't present a workaround. They are the recommended way to implement authentication functionality going forward.

Let me quote a message I wrote in another issue:

Hey @lastmjs, we'll discontinue the email password auth provider and all other integrations sooner rather than later.

An improve CLI version is currently being tested in early beta, where we are testing a simple module concept amongst other things.

Modules come with a slightly worse "out-of-the-box" experience than auth providers, but instead of zero control previously, developers now have full control over functionality, the interface, evolving the code etc.

We're currently compiling a set of ready-made modules, one of which is the email-password module: https://github.com/graphcool/modules/tree/master/authentication/email-password

Everyone in the community is invited to participate in the discussion for existing modules and to make suggestions for new ones. Apart from that, you are free to create your own modules to improve modularity and reusability in a Graphcool project.

Please reach out to me in a PM in the Forum if you're interested to participate in the beta now. We'll announce more information about the new CLI and which changes it brings soon.

I will release more information about the CLI beta in the Forum today.

[mattfysh]

Schema extensions don't present a workaround.

I'm afraid I'd have to disagree here - I'd consider any auth solution that requires the issuance of more than 1 token to be a workaround. The existing schema extension example requires these steps. (https://github.com/graphcool-examples/functions/tree/master/authentication/auth0-authentication)

• An auth0 login is exchanged for an auth0 token
• An auth0 token is exchanged for a graphcool token

This doubles the authentication surface area, creating additional & unnecessary security exposure. In this scenario there are now two security attack vectors. I hope you will agree - this is much less secure than having just one.

[marktani]

Have a look at this setup: https://github.com/graphcool-examples/functions/pull/77.

If using two tokens is a security concern to you, you can also look into adding Facebook/Github/Email-Password/... authentication directly to your Graphcool project.

Another possibility I see is to pull the Auth0 token issuance into the Graphcool Function, and only expose the Graphcool token to the client.

[morajabi]

Wasted 1 day on this ...