Moped Documentation
  • Welcome 👋
  • User Guides
    • Getting started
    • Map a project
  • Product Management
    • User communication
    • User management
    • User analytics
    • Local testing
    • Release process
    • Patch release process
    • Integrations
      • Dataset documentation
      • ArcGIS Online
      • eCapris
    • Features
  • Dev Guides
    • DB Docs & Data dictionary
    • Database backup policy
    • Moped Read Replica
    • How-to's
      • How do I start the Hasura cluster locally?
      • How do I launch the Hasura Console?
      • How do I generate an SSH key? (Mac)
      • How do I get a JWT token?
      • How to ping the GraphQL API
      • How to ping the REST API
      • How do I connect a database with Postgres GUIs?
      • How do I connect to the RDS instance?
      • How to load production data into a local instance
      • How do I update seed data?
    • Hasura
      • Hasura Roles
      • Hasura Migrations
        • Getting Started
        • Installing the Hasura CLI
        • Configuration Files
        • Hasura Migration Principles
        • The Migration file format
        • Development
        • Hasura Seed Data
        • Running the Hasura Cluster Locally (video)
        • Create a migration: Exercise 1 (video)
        • Create a migration: Exercise 2 (video)
        • Latest hasura-cluster features
    • User Management
    • Authentication
      • Authentication Architecture
      • DynamoDB & Cognito
      • Secrets Manager & Cognito
      • Hasura & Cognito
      • React & Cognito
      • Flask API & Cognito
      • Single Sign-On with CTM
    • Code organization
    • API
      • Configuration Files
      • Testing
      • User Management API
    • Maps and geospatial data
      • Access tokens and API keys
      • Map libraries
      • Map data
      • Map styles
      • Map layers and basemaps
      • React patterns
      • V1 Archive
        • Map libraries
        • Map data
        • Map custom hooks
        • Map styles
        • Map layers and basemaps
    • UI access control
    • Design system
      • Branding
      • Component styles
      • Text content
    • Activity Log
      • Architecture
      • GitHub Actions and Deployment of Updates
      • Hasura Event Logs and Truncate Cron Job
      • Authentication
  • See also
  • Get Moped support, report a bug, or request an enhancement
  • Data & Technology Services
  • Github repository
Powered by GitBook
On this page
  • Differences in our product:
  • Similarities
  • Goals
  • Architecture
  • Architecture flow
  • Deployment strategy
  • GraphQL API details
  • References and documentation

Was this helpful?

  1. Dev Guides
  2. Authentication

Hasura & Cognito

Connecting Hasura and cognito is quite simple, actually. The architecture is quite simple actually, but the requirements require several steps to get there. In our case we followed most of their documentation in this page to set up resources in AWS, with a few variants.

They describe the following steps:

  • Set up user pools and hosted web UI

  • Create a lambda function to add claims to the JWT

  • Configure Cognito to trigger the lambda function

  • Test the Cognito login and generate sample JWTs for testing

  • Configure Hasura to use Cognito keys

  • Add access control rules via the Hasura console

  • Sync users from Cognito

Differences in our product:

  • We do not need a hosted web UI, we are going to use our own.

  • We are going to use Python instead of JavaScript for all of our lambda functions.

  • We have to customize our Hasura roles based on our business logic.

Similarities

  • We have to use the Pre-Token generation trigger to generate custom claims.

  • We may have to sync users from Cognito into Hasura

  • We will follow the access control rules in the Hasura console.

Diagram owner

Team

  • @ Team member

Informed

  • @ Stakeholder

  • @ Stakeholder

Status

/ / /

Last date updated

e.g.,24 Sep 2020

On this page

Name

Description

Operational Excellence

The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures.

Security

The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.

Reliability

The ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.

Performance Efficiency

The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve

Cost Optimization

The ability to run systems to deliver business value at the lowest price point.

AWS Well Architected Framework PDF

note

Goals

  • Restrict access to Hasura and allow the cognito user pool only.

  • Provide different users and privileges (permissions scheme)

  • Restrict access to Hasura and allow the cognito user pool only.

  • Provide different users and privileges (permissions scheme)

Architecture

From the above steps, this is crux of the integration with Cognito. In short, Hasura has to be able to decrypt JWT tokens, this is done by using JWKs which are hosted in cognito. From their documentation we read:

Cognito publishes their JWK under:

https://cognito-idp.<aws-region>.amazonaws.com/<user-pool-id>/.well-known/jwks.json

While starting Hasura, set the environmental variable HASURA_GRAPHQL_JWT_SECRET or the flag --jwt-secret to the below JSON:

{
"type":"RS256",
"jwk_url": "https://cognito-idp.<aws-region>.amazonaws.com/<user-pool-id>/.well-known/jwks.json",
"claims_format": "stringified_json"
}

This is what we have in our case, and notice these are pubilc and they are fine to share publicly:

Production Cognito Pool:

REGION: "us-east-1",
USER_POOL_ID: "us-east-1_Zc3pNWX51",
APP_CLIENT_ID: "ins01e2a8d3vd8apvnd0jv10c",

Staging Cognito Pool:

REGION: "us-east-1",
USER_POOL_ID: "us-east-1_U2dzkxfTv",
APP_CLIENT_ID: "3u9n9373e37v603tbp25gs5fdc",

Architecture flow

We assume that the user has logged in through the Moped editor, and has aquired a valid JWT token.

  1. The user logs in to the site, gets a JWT token.

  2. The users interacts through the editor with Hasura, and provides the JWT token.

  3. Hasura retrieves the JWT token, and uses the JWK to parse it and decrypt/decode it.

  4. Hasura evaluates the permissions in that JWT token and determines if it is a valid token, or if access needs to be rejected.

Deployment strategy

For production and staging the Hasura cluster is deployed and maintained using Terraform and Terraform Cloud services, following the steps described above.

  1. We generate the cognito JWK url (as shown in the Hasura documentation).

  2. We generate the JSON containing the JWK url.

  3. We instantiate our Hasura resources using the json document as the value for the HASURA_GRAPHQL_JWT_SECRET variable.

GraphQL API details

References and documentation

  • Hasura documentation: https://hasura.io/docs/1.0/graphql/core/guides/integrations/aws-cognito.html

PreviousSecrets Manager & CognitoNextReact & Cognito

Last updated 4 years ago

Was this helpful?

()

The documentations shows that we should be using the same patterns we have been using in the past when using JWT tokens:

Data & Technology Services
Sergio Garcia
Sergio Garcia
JWT token used as bearer token on hasura console