Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect console access via AWS Cognito (and possibly other similar tools) #3443

Open
scare21410 opened this issue Nov 28, 2019 · 6 comments
Open

Protect console access via AWS Cognito (and possibly other similar tools) #3443

scare21410 opened this issue Nov 28, 2019 · 6 comments
Labels
c/console Related to console k/ideas Discuss new ideas / pre-proposals / roadmap

Comments

@scare21410
Copy link

scare21410 commented Nov 28, 2019
edited by tirumaraiselvan
Loading

I would like to use AWS Cognito to take care of logging users, MFA, managing user pools etc.

Cognito works by intercepting any requests to the app, checking cookies to see if user is logged in and if not, redirecting to login form, then redirecting back to the app.

Unfortunately, any request to /v1/query fails because of globalCookiePolicy being set to 'omit', making Cognito redirect the request to the login form.

So I think we could add some environment variable e.g. HASURA_COOKIE_POLICY to override the default setting.

Additionally, when using Cognito, I don't want to be forced to set admin secret even in production. I would suggest adding another option, e.g. HASURA_GRAPHQL_ADMIN_SECRET_DISABLED to make it possible to disable admin secret even in production.

I think this is pretty easy change to make and I will be happy to provide PR, if we agree on environment variable names.

I'm sure there are other tools that work like AWS Cognito, so this would fix it for every of them.

Possibly related: #2722
@esteiner
Copy link

esteiner commented Dec 13, 2019
edited
Loading

We have the same issue when using Keycloak (instead of AWS Cognito) and its Gatekeeper in front of every application, because the kc_access cookie is not sent for /v1/query fetch requests because of Actions.js#98:

  const url = Endpoints.serverConfig;
  const options = {
    method: 'GET',
    credentials: globalCookiePolicy,
    headers: getState().tables.dataHeaders,
  };

with globalCookiePolicy set to 'omit'.

@marionschleifer marionschleifer added the support/needs-action support ticket that requires action by team label Dec 16, 2019
@dsandip
Copy link
Member

dsandip commented Dec 19, 2019

@scare21410 @esteiner Would love to discuss this in more detail and run some of our plans by you. Could you please help with setting up a chat using this.

@marionschleifer marionschleifer removed the support/needs-action support ticket that requires action by team label Dec 19, 2019
@tirumaraiselvan
Copy link
Contributor

@rikinsk Can you review this task?

@scare21410 Happy to have a PR from you, could you also point to other kinds of cookie policies and how they might affect this? (Basically some kind of spec level info)

@marionschleifer marionschleifer added c/console Related to console c/auth 👮‍♀️ support/needs-triage Needs to be triaged so that we have enough information to add this to our backlog labels Mar 6, 2020
@philip-wigg-qatalog
Copy link

We're also affected by this issue. We can't log into the admin console when Hasura is fronted by Google Identity Aware Proxy (IAP).

@tirumaraiselvan tirumaraiselvan added support/needs-action support ticket that requires action by team p/high candidate for being included in the upcoming sprint and removed support/needs-triage Needs to be triaged so that we have enough information to add this to our backlog labels Apr 8, 2020
@rikinsk rikinsk mentioned this issue Apr 8, 2020
Merged
2 tasks
@rikinsk rikinsk removed c/auth support/needs-action support ticket that requires action by team labels Apr 8, 2020
@rikinsk
Copy link
Member

rikinsk commented Apr 8, 2020
edited
Loading

The following PR #4336 should fix the issue of the console not sending cookies with API calls.

This issue can be used to track the other proposed ideas.

@rikinsk rikinsk added k/ideas Discuss new ideas / pre-proposals / roadmap and removed p/high candidate for being included in the upcoming sprint labels Apr 8, 2020
@rikinsk rikinsk unassigned 0x777 and rikinsk Apr 8, 2020
@Nohac
Copy link

Nohac commented Sep 18, 2020

Is there any updates on adding the possibility to disable the admin token? There's no reason in having an admin token in production as it would be terrible if it got leaked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c/console Related to console k/ideas Discuss new ideas / pre-proposals / roadmap
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@coco98 @esteiner @Nohac @marionschleifer @0x777 @scare21410 @tirumaraiselvan @dsandip @rikinsk @philip-wigg-qatalog