Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added OpenID Json Web Key Sets for verification via the @auth directive #564

Merged
merged 5 commits into from
Nov 8, 2021
Merged

Added OpenID Json Web Key Sets for verification via the @auth directive #564

merged 5 commits into from
Nov 8, 2021

Conversation

dvanmali
Copy link
Contributor

@dvanmali dvanmali commented Nov 5, 2021

Description

According to OpenID configuration, verification of JWTs should be validated against the authentication server's JWKS to ensure that the server signed it. Instead of interpreting the JWT via a secret or PEM file (which if maliciously stolen, could rewrite JWTs), we verify via the signature represented by the token's kid at the endpoint https://YOUR_DOMAIN/.well-known/jwks.json.

These changes are currently non-breaking changes.

Issue

#252

Passing a decoded token only partially solves this verification issue. We'd rather perform verification via the GraphQL @auth directive so checks occur at each request and are done without secrets.

Checklist

The following requirements should have been met (depending on the changes in the branch):

  • Documentation has been updated
  • TCK tests have been updated
  • Integration tests have been updated
  • Example applications have been updated
  • New files have copyright header
  • CLA (https://neo4j.com/developer/cla/) has been signed

@github-actions github-actions bot added documentation Improvements or additions to documentation graphql labels Nov 5, 2021
@neo4j-team-graphql
Copy link
Collaborator

neo4j-team-graphql commented Nov 5, 2021
edited
Loading

Thanks for the documentation updates.

The preview documentation has now been torn down - reopening this PR will republish it.

oskarhane
oskarhane reviewed Nov 5, 2021
View reviewed changes
Copy link
Member

@oskarhane oskarhane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this PR @dvanmali, really appreciate it.
Looks good in general, just a small comment.

Also, could you come up with a way to test this (that it takes the code path when the config value is set) so we don't introduce regressions in the future?

packages/graphql/src/auth/get-jwt.ts Outdated Show resolved Hide resolved
dvanmali and others added 2 commits November 5, 2021 11:43
@dvanmali
Remove unnecessary quote when using jwtConfig
ed2bdce 
The value is already set so there is no need of a default value ""
@dvanmali
git command to add remote repo was incorrect
f479261
oskarhane
oskarhane approved these changes Nov 8, 2021
View reviewed changes
Copy link
Member

@oskarhane oskarhane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks a lot @dvanmali

@danstarns danstarns merged commit 31e51ab into neo4j:master Nov 8, 2021
@darrellwarde darrellwarde mentioned this pull request Nov 15, 2021
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oskarhane oskarhane oskarhane approved these changes

Assignees
No one assigned
Labels
documentation Improvements or additions to documentation feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dvanmali @neo4j-team-graphql @oskarhane @danstarns