Auth0
Introduction
In this recipe, you'll learn how to configure an existing Auth0 application and generate a JWT which you can pass in the header of your requests to Hasura. After setting up your AuthConfig object to use JWT mode, this will allow you to validate users' identities and create permission rules which can limit access to underlying data served by Hasura DDN.
Before continuing, ensure you have:
- An Auth0 application.
- A local application that you're actively developing, built with any language or framework supported by Auth0's SDKs.
- A local Hasura DDN project.
Recipe
Step 1. Create a new Auth0 Action
From your Auth0 application's dashboard, click Action
in the sidenav and choose Flows
.
Create a new Login
flow and then choose the Custom
option and click Create Action
before entering a name for your
Action.
Then, modify the onExecutePostLogin
function to the following:
exports.onExecutePostLogin = async (event, api) => {
const namespace = "claims.jwt.hasura.io";
// Here, you'll need to fetch the user's role from Hasura DDN using an admin-level authenticated request
// Learn more here: https://hasura.io/docs/3.0/auth/authentication/jwt/special-roles
// Below, we're hard-coding the value for now
const user_role = "user"; // the role returned from your request ☝️
api.idToken.setCustomClaim(namespace, {
"x-hasura-default-role": user_role,
"x-hasura-allowed-roles": ["user"],
"x-hasura-user-id": event.user.user_id,
});
};
This will add the required Hasura namespace with the keys that Hasura DDN expects when decoding a JWT. You can modify the keys to suit your Hasura DDN roles.
Click Deploy
.
You can create any custom keys you wish and reference them in your permissions using session variables. Above,
x-hasura-user-id
is simply an example. Any claim prefixed with x-hasura-
is accessible to the Hasura DDN Engine. For
more information on which values are required, check the
authorization docs.
Step 2. Update your AuthConfig
Update your AuthConfig object to use JWT mode and your Auth0 JWKs:
kind: AuthConfig
version: v2
definition:
mode:
jwt:
claimsConfig:
namespace:
claimsFormat: Json
location: "/claims.jwt.hasura.io"
issuer: "<your Auth0 tenant's URL>"
key:
jwkFromUrl: "https://<your Auth0 tennant's URL>/.well-known/jwks.json"
tokenLocation:
type: Header
name: Auth-Token
Then, create a new build of your supergraph:
ddn supergraph build local
Step 3. Test your configuration
Generate a new JWT by logging into your application. These values aren't typically displayed to users, so you'll need to log them while in development. You can then add that value as a header in the console and test any permissions you have in your metadata.
Wrapping up
In this guide, you learned how to integrate Auth0 with Hasura DDN to create a secure and scalable identity management solution using JWTs. By leveraging custom claims in conjunction with permissions, you can define precise access-control rules, ensuring that your application remains secure and meets your users' needs.
As you continue building out your supergraph, keep in mind that authentication and authorization are crucial components. Always validate your configuration and regularly test your setup to ensure it functions as expected across different roles and environments.
If you encounter issues or need further customization, consider reviewing our related documentation or exploring additional Auth0 features that can enhance your authentication flows.
Learn more about authentication and authorization
- Authentication with Hasura DDN
- Authorization with Hasura DDN
- Permissions with Hasura DDN