Multiple JWT Secrets
Available on: Cloud, Enterprise Edition
Introduction
You can configure GraphQL Engine with a list of JWT secrets. This enables you to authenticate with different JWT issuers.
How to use
Multiple JWT secrets can be provided in the env var HASURA_GRAPHQL_JWT_SECRETS
which takes a list of JWT secret
objects.
For example:
[
{ "jwk_url": "https://...", "issuer": "myapp" },
{ "type": "HS256", "key": "3EK6FD...", "issuer": "test" }
]
The structure of an individual JWT secret is described here.
Note
If both HASURA_GRAPHQL_JWT_SECRET
and HASURA_GRAPHQL_JWT_SECRETS
are set, then HASURA_GRAPHQL_JWT_SECRETS
will be
used.
Resolution logic
The authentication is resolved as follows:
- Bearer tokens are extracted from headers or cookie locations (as configured by each JWT secret)
- Tokens are filtered to ensure that the issuer field matches the configuration, or that the issuer is absent either from the configuration or the token.
- If no matching tokens are found then the unauthenticated flow is performed (depends on HASURA_GRAPHQL_UNAUTHORIZED_ROLE).
- If multiple matching tokens are found then an error is raised as the desired token is ambiguous.
- If only one matching token is found then it is verified against the corresponding configured secret.