Securing APIs and apps with OneGraph

What are JWTs?

JWT (or JSON Web Tokens) are an industry standard way of communicating auth openly and securely.

You can use a JWT as a way of verifying users:

  1. Authentication: knowing who a user is
  2. Authorization: knowing what a user is allowed to do

Get started in just two steps:

  1. Configure the rules for your API using AuthGuardian
  2. Install the plugin for your system to consume JWTs generated from your AuthGuardian rules

OneGraph generates JWTs for authentication with external services like Hasura, PostGraphile, Firebase, Netlify, and can add authentication and authorization for your Apollo Server GraphQL APIs, or even your own apps.

Overview of the OneGraph JWT process

OneGraph's standard AuthGuardian JWT flow follows these steps:

  1. App requests a user to sign in with $SERVICE (e.g. GitHub, Spotify)
  2. Upon the user successfully signing into $SERVICE, OneGraph will execute each rule specified in your AuthGuardian config and produce a JWT payload
  3. OneGraph will sign the JWT payload so your app can verify its authenticity and to prevent any tampering of the payload
  4. The JWT is given to the user, and the user is sent back to the app

Technical details

What algorithms can OneGraph sign JWTs with?

OneGraph can generate:

  • RSA256, for public/private JWTs with unique keys for every app
  • HS256, or shared-secret JWTs

While we default to using RSA256, OneGraph supports both algorithms so that you can use OneGraph JWTs with every external system.

What are JWKs, and what url should I use for my OneGraph app?

When using the recommended RS256 (private/public) JWT signing, JWKs are used to automated the distribution of public keys in a nice JSON format. The only bit of information you need to use them with your app or an external service is their url - every app has their own public keys generated (and potentially rotated) by OneGraph and hosted at a known url:

https://serve.onegraph.com/app/<app-id>/.well-known/jwks.json

Here's an example of a real url with usable JWKs:

https://serve.onegraph.com/app/d1995c39-be74-4c23-868a-a263d9a54ac1/.well-known/jwks.json

Example with create-react-appAuthGuardian