Skip to content

Commit c795cb4

Browse files
authored
Merge pull request #41 from grafbase/update-jwt-readme
update readmes again
2 parents d59109a + a767872 commit c795cb4

6 files changed

Lines changed: 19 additions & 6 deletions

File tree

extensions/authenticated/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ Provides an `@authenticated` directive, for subgraphs, which prevents access to
55
## Install
66

77
```toml
8+
# grafbase.toml
89
[extension.authenticated]
910
version = "1.0"
1011
```
@@ -18,6 +19,7 @@ grafbase extension install
1819
## Usage
1920

2021
```graphql
22+
# subgraph schema
2123
extend schema
2224
@link(
2325
url: "https://grafbase.com/extensions/authenticated/1.0.0"

extensions/authenticated/extension.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[extension]
22
name = "authenticated"
3-
version = "1.0.2"
3+
version = "1.0.3"
44
kind = "authorization"
55
description = "Prevent access to elements in the query when the user is not authenticated"
66
license = "Apache-2.0"

extensions/jwt/README.md

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@ Add the following to your Grafbase Gateway configuration file:
88

99
```toml
1010
# grafbase.toml
11-
1211
[extensions.jwt]
1312
version = "0.2"
1413
```
@@ -23,7 +22,6 @@ grafbase extension install
2322

2423
```toml
2524
# grafbase.toml
26-
2725
[extension.jwt.config]
2826
# == Required ==
2927
# URL to download the JWKS for signature validation.
@@ -51,7 +49,18 @@ If you want anonymous users you should change the default authentication in you
5149

5250
```toml
5351
# grafbase.toml
54-
5552
[authentication]
5653
default = "anonymous"
5754
```
55+
56+
## Validation mechanism
57+
58+
This extension validates JWT ([RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519)) tokens and verifies signatures using JWKs ([RFC 7517](https://datatracker.ietf.org/doc/html/rfc7517)) from `jwks.url`. The validation follows these steps:
59+
60+
1. One of the specified JWK must match the JWT signature.
61+
2. If present, the `exp` claim must be a future timestamp, with a 60-second leeway.
62+
3. If present, the `nbf` claim must be a past timestamp, with a 60-second leeway.
63+
4. With a configured `issuer`, the `iss` claim must match the specified `issuer`.
64+
5. With a configured `audience`, the `aud` claim must match the specified `audience`. If the `aud` claim is an array, at least one of the audience `audience` must match.
65+
66+
**Important**: Be sure to check with your authentication provider whether you must check `audience` and/or the `issuer`, you may accept JWT tokens that weren't intended for you service otherwise.

extensions/jwt/extension.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[extension]
22
name = "jwt"
3-
version = "0.2.6"
3+
version = "0.2.7"
44
kind = "authentication"
55
description = "JWT authentication extension."
66
repository_url = "https://github.com/grafbase/extensions/tree/main/extensions/jwt"

extensions/requires-scopes/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ Provides the `@requiresScopes` directive which prevents access to elements in th
55
## Install
66

77
```toml
8+
# grafbase.toml
89
[extension.requires-scopes]
910
version = "1.0"
1011
```
@@ -18,6 +19,7 @@ grafbase extension install
1819
## Usage
1920

2021
```graphql
22+
# subgraph schema
2123
extend schema
2224
@link(
2325
url: "https://grafbase.com/extensions/requires-scopes/1.0.0"

extensions/requires-scopes/extension.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[extension]
22
name = "requires-scopes"
3-
version = "1.0.4"
3+
version = "1.0.5"
44
kind = "authorization"
55
description = "Prevent access to elements in the query if the user doesn't have the right OAuth scopes"
66
repository_url = "https://github.com/grafbase/extensions/tree/main/extensions/requires-scopes"

0 commit comments

Comments
 (0)