Hasura & Cognito
Connecting Hasura and cognito is quite simple, actually. The architecture is quite simple actually, but the requirements require several steps to get there. In our case we followed most of their documentation in this page to set up resources in AWS, with a few variants.
They describe the following steps:
Differences in our product:
We do not need a hosted web UI, we are going to use our own.
We are going to use Python instead of JavaScript for all of our lambda functions.
We have to customize our Hasura roles based on our business logic.
Similarities
We have to use the Pre-Token generation trigger to generate custom claims.
We may have to sync users from Cognito into Hasura
We will follow the access control rules in the Hasura console.
Diagram owner
Team
@ Team member
Informed
@ Stakeholder
@ Stakeholder
Status
/ / /
Last date updated
e.g.,24 Sep 2020
On this page
Name
Description
Operational Excellence
The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures.
Security
The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.
Reliability
The ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.
Performance Efficiency
The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve
Cost Optimization
The ability to run systems to deliver business value at the lowest price point.
AWS Well Architected Framework PDF
note
Goals
Restrict access to Hasura and allow the cognito user pool only.
Provide different users and privileges (permissions scheme)
Restrict access to Hasura and allow the cognito user pool only.
Provide different users and privileges (permissions scheme)
Architecture
From the above steps, this is crux of the integration with Cognito. In short, Hasura has to be able to decrypt JWT tokens, this is done by using JWKs which are hosted in cognito. From their documentation we read:
Cognito publishes their JWK under:
https://cognito-idp.<aws-region>.amazonaws.com/<user-pool-id>/.well-known/jwks.json
While starting Hasura, set the environmental variable
HASURA_GRAPHQL_JWT_SECRET
or the flag--jwt-secret
to the below JSON:
This is what we have in our case, and notice these are pubilc and they are fine to share publicly:
Production Cognito Pool:
Staging Cognito Pool:
Architecture flow
We assume that the user has logged in through the Moped editor, and has aquired a valid JWT token.
The user logs in to the site, gets a JWT token.
The users interacts through the editor with Hasura, and provides the JWT token.
Hasura retrieves the JWT token, and uses the JWK to parse it and decrypt/decode it.
Hasura evaluates the permissions in that JWT token and determines if it is a valid token, or if access needs to be rejected.
Deployment strategy
For production and staging the Hasura cluster is deployed and maintained using Terraform and Terraform Cloud services, following the steps described above.
We generate the cognito JWK url (as shown in the Hasura documentation).
We generate the JSON containing the JWK url.
We instantiate our Hasura resources using the json document as the value for the
HASURA_GRAPHQL_JWT_SECRET
variable.
GraphQL API details
References and documentation
Hasura documentation: https://hasura.io/docs/1.0/graphql/core/guides/integrations/aws-cognito.html
Last updated
Was this helpful?