How to authenticate user using subscription

[guitcastro]

Currently I can validate my user authentication using spring security by passing the access_token in the subscription endpoint:

ws:example.com/subscriptions?access_token=token

In the above example I am able to successful connect to the websocket, However when I try to get the authentication object when I receive a message in the connection using SecurityContextHolder.getContext().authentication it returns null.

It's possible to manual authentication the user by querying the connection request? If yes, can you please help me with this one?

[kapilnayar]

@guitcastro were you able to get it to work successfully. we are looking to use Spring security to authenticate the token and then access the token in the subscription message handling.

[guitcastro]

@kapilnayar Any news on this regards please comment in here.

[oliemansm]

@guitcastro
I tried to take a stab at this using the approach described by Apollo: https://www.apollographql.com/docs/react/advanced/subscriptions.html#authentication

I've created a sample app here: https://github.com/graphql-java-kickstart/samples/tree/master/subscription-with-authentication. Besides the obvious Java backend you'll find a small react frontend in the frontend directory. You can either run that separately with npm start or just run the backend and open the browser to the homepage. The result of that separate frontend dir is copied into the backend package. Nothing fancy, just incrementing a number.

There's no readme yet, so just code for now. It's also clear from this sample project that graphql-spring-boot could be improved by providing support for this out of the box and exposing the principal in a more user friendly manner. Right now you've got to do some hacky stuff to get a hold of your principal.

In ApolloConfiguration.js you can see that the token is injected when setting up the weblink. This has to be done on the fly obviously to ensure you inject the correct token:

const wsLink = new WebSocketLink({
  uri: `ws://localhost:9000/subscriptions`,
  options: {
    reconnect: true,
    connectionParams: {
      authToken: 'foobar',
    }
  }
});

The key part in the backend is to add your own SubscriptionConnectionListener to get a hold of that connectionParams object. See AuthenticationConnectionListener:

public Optional<Object> onConnect(Object payload) {
    log.debug("onConnect with payload {}", payload.getClass());
    String token = ((Map<String, String>) payload).get("authToken");
    log.info("Token: {}", token);
    return Optional.of(token);
  }

Then in MySubscriptionResolver you can get a hold of the object the onConnect method returned:

Publisher<Integer> hello(DataFetchingEnvironment env) {
    GraphQLContext context = env.getContext();
    Optional<String> token = context.getSession()
        .map(Session::getUserProperties)
        .map(props -> props.get(ApolloSubscriptionConnectionListener.CONNECT_RESULT_KEY))
        .map(String.class::cast);
    log.info("Subscribe to publisher with token: {}", token);
    return publisher;
  }

In this case I simply returned this String token, but you can return any object you like.

It's a work in progress and as stated would be nice to create an easier to use feature in graphql-spring-boot, but hope this helps you on your way for now.

[guitcastro]

@oliemansm Thanks for the response.

I can get the user authentication using the DataFetchingEnvironment

dataFetchingEnvironment.getContext().getSession().getUserPrincipal()

However this is not integrated with spring security, where I can get the user using: SecurityContextHolder.getContext().getAuthentication() thus, it's impossible to use features like Security Annotations.

[oliemansm]

@guitcastro This project doesn't provide any integration out of the box for securing regular queries using Spring Security either. In that case you'd have to write your own filter and add it to the security chain to populate the SecurityContext upon request. Perhaps something similar could be done in this case.

I only took a look now how to integrate authentication using subscriptions in the first place. This could serve as a basis to investigate next steps how to integrate this with Spring Security.

[oliemansm]

@guitcastro
I was able to get a hold of the principal in my publisher by setting the authentication in the SecurityContext in the ConnectionListener

  public Optional<Object> onConnect(Object payload) {
    log.debug("onConnect with payload {}", payload.getClass());
    String token = ((Map<String, String>) payload).get("authToken");
    log.info("Token: {}", token);
    SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(token, null));
    return Optional.of(token);
  }

Then in my publisher I could get a hold of it using

Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();

If you start a separate thread at that time and you want to be able to use method based security you'd have to pass the Authentication into that thread and use the same trick to populate the SecurityContext with that Authentication there. From that point on method based security should work.

[guitcastro]

@oliemansm Amazing! That's exactly what I was looking for!

[oliemansm]

Perhaps we could create a small graphql-spring-security-starter that would provide basic support for this out of the box along with (JWT) token based filter for queries and mutations to make it a bit easier to work with.

[guitcastro]

@oliemansm That makes sense; I will reopen the issue. Although a documentation update may be enough

[oliemansm]

Sample showing usage is now available here: https://github.com/graphql-java-kickstart/samples/tree/master/subscription-with-authentication. Still needs a README though to explain it a bit.

[morrowyn]

Hi,

I tried using this sample and I noticed the following:
When I add the following to the project
implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
and append the following to the WebSecurityConfigurerAdapter
and() .oauth2ResourceServer() .jwt()

I get the following ClassCastException:

java.lang.ClassCastException: class graphql.kickstart.servlet.context.DefaultGraphQLServletContext cannot be cast to class graphql.kickstart.servlet.context.GraphQLWebSocketContext (graphql.kickstart.servlet.context.DefaultGraphQLServletContext and graphql.kickstart.servlet.context.GraphQLWebSocketContext are in unnamed module of loader 'app')

I'm trying to protect the graphql endpoint with oauth2 and jwt.

So I'm a bit confused now on how to properly secure a graphql endpoint including the subscriptions, because when I don't cast it, my request seems to hang when POST a subscription, unable to receive data.

[PhilippS93]

@guitcastro
I was able to get a hold of the principal in my publisher by setting the authentication in the SecurityContext in the ConnectionListener

  public Optional<Object> onConnect(Object payload) {
    log.debug("onConnect with payload {}", payload.getClass());
    String token = ((Map<String, String>) payload).get("authToken");
    log.info("Token: {}", token);
    SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(token, null));
    return Optional.of(token);
  }

Then in my publisher I could get a hold of it using

Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();

If you start a separate thread at that time and you want to be able to use method based security you'd have to pass the Authentication into that thread and use the same trick to populate the SecurityContext with that Authentication there. From that point on method based security should work.

I am using method based security and sometimes the SecurityContextHolder.getContext().getAuthentication() seems to be an AnonymousAuthenticationToken in here:

  @Before("allGraphQLResolverMethods() && isDefinedInApplication() && !isMethodAnnotatedAsUnsecured()")
    public void doSecurityCheck() {
        if (SecurityContextHolder.getContext() == null ||
                SecurityContextHolder.getContext().getAuthentication() == null ||
                !SecurityContextHolder.getContext().getAuthentication().isAuthenticated() ||
                AnonymousAuthenticationToken.class.isAssignableFrom(SecurityContextHolder.getContext().getAuthentication().getClass())) {
            throw new AccessDeniedException("User not authenticated");
        }
    }

You said, that we need to pass the Authentication into the thread where this check is made, but how can I achieve this?

Seems to work when using:
SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL);

[Siteware]

@guitcastro
I was able to get a hold of the principal in my publisher by setting the authentication in the SecurityContext in the ConnectionListener

  public Optional<Object> onConnect(Object payload) {
    log.debug("onConnect with payload {}", payload.getClass());
    String token = ((Map<String, String>) payload).get("authToken");
    log.info("Token: {}", token);
    SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(token, null));
    return Optional.of(token);
  }

Then in my publisher I could get a hold of it using

Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();

If you start a separate thread at that time and you want to be able to use method based security you'd have to pass the Authentication into that thread and use the same trick to populate the SecurityContext with that Authentication there. From that point on method based security should work.

@oliemansm

This seems to work sometimes but not always!
When the publisher gets called it is sometimes done in another thread (behind the scenes). Then the SecurityContextHolder.getContext().getAuthentication() == null.

working case:

2020-08-31 19:14:51.587  INFO 55881 --- [nio-8080-exec-1] s.a.s.s.AuthenticationConnectionListener : user authenticated, set authentication object on security context
2020-08-31 19:14:51.636  INFO 55881 --- [nio-8080-exec-1] be.siteware.abaco.security.SecurityUtil  : getting users email

not working:

2020-08-31 19:15:48.937  INFO 55881 --- [nio-8080-exec-5] s.a.s.s.AuthenticationConnectionListener : user authenticated, set authentication object on security context
2020-08-31 19:15:48.943  INFO 55881 --- [nio-8080-exec-6] be.siteware.abaco.security.SecurityUtil  : getting users email

This seems to be randomly working and not working.
Setting the SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL) does not help either.

Any thoughts or ideas why this is functioning like this and how I can solve this?

[metsfan]

^ I am having this issue as well. If I set a breakpoint and go step by step it works, but if I let it run, it breaks. There is some kind of race condition going on here. I gave up doing authorization through conventional means and decided instead to just pass my authorization token in the body of my subscription request, and do authorization manually. It's dirty but it works. Hopefully this gets fixed in the future.

[philip-jvm]

Hey @metsfan, I managed to reproduce this. Seems to be due to how websocket threading works with frames.
I wrote a description in this PR philip-jvm/learn-spring-boot-graphql#7 and also covered it in this video https://www.youtube.com/watch?v=Q8k-u1cDwic&list=PLiwhu8iLxKwL1TU0RMM6z7TtkyW-3-5Wi&index=35

Hope this helps

[metsfan]

@philip-jvm Thank you this solved my problem! Great tutorial. Liked and subscribed :)

[oliemansm]

Very nice work on those tutorials, @philip-jvm. We've put up a link to them on our docs site if you don't mind, not sure if you were aware: https://www.graphql-java-kickstart.com/tutorials/.

[philip-jvm]

Thank you very much @oliemansm . It's a pleasure to be on the docs :)

[ermadmi78]

See Spring Security authorization example of GraphQL subscriptions for graphql-java-kickstart server here