Hasura & Cognito

Connecting Hasura and cognito is quite simple, actually. The architecture is quite simple actually, but the requirements require several steps to get there. In our case we followed most of their documentation in this page to set up resources in AWS, with a few variants.

They describe the following steps:

• Set up user pools and hosted web UI

• Create a lambda function to add claims to the JWT

• Configure Cognito to trigger the lambda function

• Test the Cognito login and generate sample JWTs for testing

• Configure Hasura to use Cognito keys

• Add access control rules via the Hasura console

• Sync users from Cognito

Differences in our product:

• We do not need a hosted web UI, we are going to use our own.

• We are going to use Python instead of JavaScript for all of our lambda functions.

• We have to customize our Hasura roles based on our business logic.

Similarities

• We have to use the Pre-Token generation trigger to generate custom claims.

• We may have to sync users from Cognito into Hasura

• We will follow the access control rules in the Hasura console.

Diagram owner	Data & Technology Services (Sergio Garcia)
Team	Sergio Garcia @ Team member
Informed	@ Stakeholder @ Stakeholder
Status	/ / /
Last date updated	e.g.,24 Sep 2020
On this page

Name	Description
Operational Excellence	The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures.
Security	The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.
Reliability	The ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.
Performance Efficiency	The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve
Cost Optimization	The ability to run systems to deliver business value at the lowest price point.

AWS Well Architected Framework PDF

note

Goals

• Restrict access to Hasura and allow the cognito user pool only.

• Provide different users and privileges (permissions scheme)

• Restrict access to Hasura and allow the cognito user pool only.

• Provide different users and privileges (permissions scheme)

Architecture

From the above steps, this is crux of the integration with Cognito. In short, Hasura has to be able to decrypt JWT tokens, this is done by using JWKs which are hosted in cognito. From their documentation we read:

Cognito publishes their JWK under:

https://cognito-idp.<aws-region>.amazonaws.com/<user-pool-id>/.well-known/jwks.json

While starting Hasura, set the environmental variable HASURA_GRAPHQL_JWT_SECRET or the flag --jwt-secret to the below JSON:

{
"type":"RS256",
"jwk_url": "https://cognito-idp.<aws-region>.amazonaws.com/<user-pool-id>/.well-known/jwks.json",
"claims_format": "stringified_json"
}

This is what we have in our case, and notice these are pubilc and they are fine to share publicly:

Production Cognito Pool:

REGION: "us-east-1",
USER_POOL_ID: "us-east-1_Zc3pNWX51",
APP_CLIENT_ID: "ins01e2a8d3vd8apvnd0jv10c",

Staging Cognito Pool:

REGION: "us-east-1",
USER_POOL_ID: "us-east-1_U2dzkxfTv",
APP_CLIENT_ID: "3u9n9373e37v603tbp25gs5fdc",

Architecture flow

We assume that the user has logged in through the Moped editor, and has aquired a valid JWT token.

1. The user logs in to the site, gets a JWT token.

2. The users interacts through the editor with Hasura, and provides the JWT token.

3. Hasura retrieves the JWT token, and uses the JWK to parse it and decrypt/decode it.

4. Hasura evaluates the permissions in that JWT token and determines if it is a valid token, or if access needs to be rejected.

Deployment strategy

For production and staging the Hasura cluster is deployed and maintained using Terraform and Terraform Cloud services, following the steps described above.

1. We generate the cognito JWK url (as shown in the Hasura documentation).

2. We generate the JSON containing the JWK url.

3. We instantiate our Hasura resources using the json document as the value for the HASURA_GRAPHQL_JWT_SECRET variable.

GraphQL API details

The documentations shows that we should be using the same patterns we have been using in the past when using JWT tokens:

References and documentation

• Hasura documentation: https://hasura.io/docs/1.0/graphql/core/guides/integrations/aws-cognito.html