Hasura & Cognito
Last updated
Was this helpful?
Last updated
Was this helpful?
Connecting Hasura and cognito is quite simple, actually. The architecture is quite simple actually, but the requirements require several steps to get there. In our case we followed most of in this page to set up resources in AWS, with a few variants.
They describe the following steps:
We do not need a hosted web UI, we are going to use our own.
We are going to use Python instead of JavaScript for all of our lambda functions.
We have to customize our Hasura roles based on our business logic.
We have to use the Pre-Token generation trigger to generate custom claims.
We may have to sync users from Cognito into Hasura
We will follow the access control rules in the Hasura console.
Diagram owner
Team
@ Team member
Informed
@ Stakeholder
@ Stakeholder
Status
/ / /
Last date updated
e.g.,24 Sep 2020
On this page
Name
Description
Operational Excellence
The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures.
Security
The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.
Reliability
The ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.
Performance Efficiency
The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve
Cost Optimization
The ability to run systems to deliver business value at the lowest price point.
note
Restrict access to Hasura and allow the cognito user pool only.
Provide different users and privileges (permissions scheme)
Restrict access to Hasura and allow the cognito user pool only.
Provide different users and privileges (permissions scheme)
From the above steps, this is crux of the integration with Cognito. In short, Hasura has to be able to decrypt JWT tokens, this is done by using JWKs which are hosted in cognito. From their documentation we read:
Cognito publishes their JWK under:
https://cognito-idp.<aws-region>.amazonaws.com/<user-pool-id>/.well-known/jwks.json
While starting Hasura, set the environmental variable
HASURA_GRAPHQL_JWT_SECRET
or the flag--jwt-secret
to the below JSON:
This is what we have in our case, and notice these are pubilc and they are fine to share publicly:
We assume that the user has logged in through the Moped editor, and has aquired a valid JWT token.
The user logs in to the site, gets a JWT token.
The users interacts through the editor with Hasura, and provides the JWT token.
Hasura retrieves the JWT token, and uses the JWK to parse it and decrypt/decode it.
Hasura evaluates the permissions in that JWT token and determines if it is a valid token, or if access needs to be rejected.
For production and staging the Hasura cluster is deployed and maintained using Terraform and Terraform Cloud services, following the steps described above.
We generate the cognito JWK url (as shown in the Hasura documentation).
We generate the JSON containing the JWK url.
We instantiate our Hasura resources using the json document as the value for the HASURA_GRAPHQL_JWT_SECRET
variable.
()
The documentations shows that we should be using the same patterns we have been using in the past when using JWT tokens:
Hasura documentation: