We have been using Dgraph.Authorization {"ClosedByDefault": true, ...} option to protect our Slash server’s GraphQL endpoints. This was working fine until it stopped working 2 hours back. Now, while accessing any endpoint we are getting a 401 Unauthorized. More precisely, we get the following response:
We cross-checked the validity and correctness of the JWT Token that we are using. It is the same token that was working fine before. Just to be safe, we also tested access with a newly issued token, but none of the tokens work.
Thinking that this issue is somehow linked to the release of this feature: Authentication Slash graphql, we switched off the newly added Anonymous Access option. But we still get the same Access Denied error.
Note
Our Slash Schema defines Authorization in this format:
# Dgraph.Authorization {"ClosedByDefault": true, "VerificationKey": "-----BEGIN PUBLIC KEY-----\n1234\n-----END PUBLIC KEY-----","Header": "Authorization","Namespace": "https://dgraph.io/jwt/claims","Algo": "RS256","Audience":["1234"]}
Would be great if someone can help us in fixing this issue.
Hi there, we have found the issue, and will put out a fix very shortly. In the meanwhile, one workaround is to rename the header to one that is not used by slash graphql, such as X-my-auth.
Further, the anonymous access rules are applied before your jwt token from @auth is verified, so you will need to enable anonymous access.
Alternatively, you can pass an api key in the Dg-Auth header
Thanks for your help. We can try out the workaround, but if I correctly understand the Anonymous Access option, I think that would better satisfy our use-case. Thus, it would be great if you can share some documentation on using that. Some doubts I have, considering we want to use the Anonymous Access option:
If we want to restrict all access, then we just need to switch off this option, and there is no need for the # Dgraph.Authorization {..} line, right?
What key should be sent in the Dg-Auth header. Should it be a Slash Client Key or an Admin Key?
Yes, you can remove the auth directive. And either key will work. We are working on a screen so that tokens can explicitly get access to certain operations, but existing tokens will have access to all operations
I removed the auth directive and the # Dgraph.Authorization {..} line, and then tried a query while passing the Dg-Auth: ADMIN_KEY header. This fails with this response:
{
"errors": [
{
"message": "couldn't rewrite query myQuery because a valid JWT is required but was not provided"
}
],
"data": {
"myQuery": null
},
}
Update: For the time being, I have managed to make auth work like before by using the workaround suggested by @gja, i.e. changing the auth header’s name to X-My-Auth-Key and enabling Anonymous Access.