hasurahasura-dockerhasura-jwt

How to map correctly to make `x-hasura-allowed-roles` field an array using claims_map in Hasura?


I have a JWT token which looks like

{
  "aud": "xx",
  "iss": "http://xx.com/adfs/services/trust",
  "iat": 1649956864,
  "exp": 1649960464,
  "apptype": "xx",
  "appid": "dcf6c0d8-7f3c-4904-a0c9-852c92c7624f",
  "authmethod": "http://xx",
  "auth_time": "2022-04-14T17:21:04.095Z",
  "ver": "1.0"
}

I am trying to map appid into x-hasura-allowed-roles field as an item of an array by using claims_map in Hasura.

HASURA_GRAPHQL_JWT_SECRET: '{"jwk_url":"xx","claims_map":{"x-hasura-allowed-roles":{"path":"$.appid"},"x-hasura-default-role":{"path":"$.appid"}}}'

Note this part inside:

"x-hasura-allowed-roles":{"path":"$.appid"}

I will get this error when I query

invalid x-hasura-allowed-roles; should be a list of roles: parsing [] failed, expected Array, but encountered String

which makes sense, because x-hasura-allowed-roles needs to be an array.

First Try (Failed)

If I change to

"x-hasura-allowed-roles":[{"path":"$.appid"}]

When I start Hasura, I will get the error

Fatal Error:- Environment variable HASURA_GRAPHQL_JWT_SECRET: Error in $['claims_map'][0]: parsing String failed, expected String, but encountered Object

Second Try (Failed)

"x-hasura-allowed-roles":{"path":["$.appid"]}

Fatal Error:- Environment variable HASURA_GRAPHQL_JWT_SECRET: Error in $['claims_map'].path: parsing Text failed, expected String, but encountered Array

How to map correctly to make x-hasura-allowed-roles field an array? Thanks


Solution

  • @Arjun Yelamanchili helped create a GitHub ticket at https://github.com/hasura/graphql-engine/issues/8402


    Here is a temp solution, I ended up with hardcoding x-hasura-allowed-roles like

    HASURA_GRAPHQL_JWT_SECRET: '{"jwk_url":"xx","claims_map":{"x-hasura-allowed-roles":["dcf6c0d8-7f3c-4904-a0c9-852c92c7624f"],"x-hasura-default-role":{"path":"$.appid"}}}'
    

    It is more strict.

    However, I feel it might not be necessary, as we will define each appid permissions in Hasura UI. Also, I need update HASURA_GRAPHQL_JWT_SECRET each time when I onboard a new app.