• r

    rp

    1 year ago
    @snipebin no. That wouldn’t work. The semantics of frontend to backend communication is very different to that of backend to backend
  • r

    rp

    1 year ago
    One simple solution could be to just use API keys for each of your backend services, and to add a middleware for all routes which checks that the API key is present in the header.
  • r

    rp

    1 year ago
    Alternatively, you could put all your backend services in the same VPC and add firewall rules so that the microservice is reachable only from within that VPC
  • s

    snipebin

    1 year ago
    @User thanks for the perspective on this. From reading https://github.com/supertokens/supertokens-core/issues/250, I believe the Supertokens Hasura integration for authentication is going to be JWT based, right? If we can't use Supertokens to issue JWTs for for API clients, then we're going to miss out on all Authorization/Access Control functionality Hasura offers, as it relies on custom claims in the JWT in order to identify the user. We would have to use the X-Hasura-Admin-Secret header, and "JWT authentication is skipped when the X-Hasura-Admin-Secret header is found in the request and admin access is granted." This shifts all authorization to the auth proxy service that would be responsible for authenticating API clients.
  • s

    snipebin

    1 year ago
    Furthermore issuing JWTs with a different service for API clients (i.e. AWS Cognito) wouldn't work, because the Hasura JWT mode authentication integration only supports a single set of JWT alg and key to validate JWTs, so in essence it only supports a single auth service
  • s

    snipebin

    1 year ago
    So I think if we're to use Supertokens at this point we're left with Hasura webhook authentication, where we would authenticate API clients with API keys which we issue and manage, and validate JWTs issued by Supertokens for human users, bridging each case into the appropriate headers Hasura needs in order to identify the user.
  • r

    rp

    1 year ago
    @snipebin yes. As of now, you would have to use the webhook auth method with hasura. @gusfune actually made this integration and has open sourced it as well
  • r

    rp

    1 year ago
    Once we release the JWT method, then you would be able to use that
  • s

    snipebin

    1 year ago
    Not until you guys can also issue JWTs for machine users for reasons stated above