Hasura & Cognito

PreviousSecrets Manager & Cognito NextReact & Cognito

Last updated 4 years ago

Was this helpful?

Hasura & Cognito

Connecting Hasura and cognito is quite simple, actually. The architecture is quite simple actually, but the requirements require several steps to get there. In our case we followed most of in this page to set up resources in AWS, with a few variants.

They describe the following steps:

Differences in our product:

We do not need a hosted web UI, we are going to use our own.
We are going to use Python instead of JavaScript for all of our lambda functions.
We have to customize our Hasura roles based on our business logic.

Similarities

We have to use the Pre-Token generation trigger to generate custom claims.
We may have to sync users from Cognito into Hasura
We will follow the access control rules in the Hasura console.

Diagram owner

Team

@ Team member

Informed

@ Stakeholder
@ Stakeholder

Status

/ / /

Last date updated

e.g.,24 Sep 2020

On this page

Name

Description

Operational Excellence

The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures.

Security

The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.

Reliability

The ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.

Performance Efficiency

The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve

Cost Optimization

The ability to run systems to deliver business value at the lowest price point.

note

Goals

Restrict access to Hasura and allow the cognito user pool only.
Provide different users and privileges (permissions scheme)
Restrict access to Hasura and allow the cognito user pool only.
Provide different users and privileges (permissions scheme)

Architecture

From the above steps, this is crux of the integration with Cognito. In short, Hasura has to be able to decrypt JWT tokens, this is done by using JWKs which are hosted in cognito. From their documentation we read:

Cognito publishes their JWK under:
https://cognito-idp.<aws-region>.amazonaws.com/<user-pool-id>/.well-known/jwks.json
While starting Hasura, set the environmental variable HASURA_GRAPHQL_JWT_SECRET or the flag --jwt-secret to the below JSON:

{
"type":"RS256",
"jwk_url": "https://cognito-idp.<aws-region>.amazonaws.com/<user-pool-id>/.well-known/jwks.json",
"claims_format": "stringified_json"
}

This is what we have in our case, and notice these are pubilc and they are fine to share publicly:

Production Cognito Pool:

REGION: "us-east-1",
USER_POOL_ID: "us-east-1_Zc3pNWX51",
APP_CLIENT_ID: "ins01e2a8d3vd8apvnd0jv10c",

Staging Cognito Pool:

REGION: "us-east-1",
USER_POOL_ID: "us-east-1_U2dzkxfTv",
APP_CLIENT_ID: "3u9n9373e37v603tbp25gs5fdc",

Architecture flow

We assume that the user has logged in through the Moped editor, and has aquired a valid JWT token.

The user logs in to the site, gets a JWT token.
The users interacts through the editor with Hasura, and provides the JWT token.
Hasura retrieves the JWT token, and uses the JWK to parse it and decrypt/decode it.
Hasura evaluates the permissions in that JWT token and determines if it is a valid token, or if access needs to be rejected.

Deployment strategy

For production and staging the Hasura cluster is deployed and maintained using Terraform and Terraform Cloud services, following the steps described above.

We generate the cognito JWK url (as shown in the Hasura documentation).
We generate the JSON containing the JWK url.
We instantiate our Hasura resources using the json document as the value for the HASURA_GRAPHQL_JWT_SECRET variable.

GraphQL API details

References and documentation