Securing APIs and apps with OneGraph
What are JWTs?
JWT (or JSON Web Tokens) are an industry standard way of communicating auth openly and securely.
You can use a JWT as a way of verifying users:
- Authentication: knowing who a user is
- Authorization: knowing what a user is allowed to do
Get started in just two steps:
- Configure the rules for your API using AuthGuardian
- Install the plugin for your system to consume JWTs generated from your AuthGuardian rules
OneGraph generates JWTs for authentication with external services like Hasura, PostGraphile, Firebase, Netlify, and can add authentication and authorization for your Apollo Server GraphQL APIs, or even your own apps.
Overview of the OneGraph JWT process
OneGraph's standard AuthGuardian JWT flow follows these steps:
- App requests a user to sign in with
$SERVICE
(e.g. GitHub, Spotify) - Upon the user successfully signing into
$SERVICE
, OneGraph will execute each rule specified in your AuthGuardian config and produce a JWT payload - OneGraph will sign the JWT payload so your app can verify its authenticity and to prevent any tampering of the payload
- The JWT is given to the user, and the user is sent back to the app
Technical details
What algorithms can OneGraph sign JWTs with?
OneGraph can generate:
RSA256
, for public/private JWTs with unique keys for every appHS256
, or shared-secret JWTs
While we default to using RSA256
, OneGraph supports both algorithms so that you can use OneGraph JWTs with every external system.
What are JWKs, and what url should I use for my OneGraph app?
When using the recommended RS256
(private/public) JWT signing, JWKs are used to automated the distribution of public keys in a nice JSON format. The only bit of information you need to use them with your app or an external service is their url - every app has their own public keys generated (and potentially rotated) by OneGraph and hosted at a known url:
https://serve.onegraph.com/app/<app-id>/.well-known/jwks.json
Here's an example of a real url with usable JWKs:
https://serve.onegraph.com/app/d1995c39-be74-4c23-868a-a263d9a54ac1/.well-known/jwks.json