-
I provided a GraphQL interface with Smallrye Graphql in Quarkus with a query and a subscription:
If I try to run the application and call the query using the integrated graphql-ui of Quarkus everyting works quite well if I add the Authorization Header Query
Header
Now I try to do the same with the subscription: Subscription
And I also added the same Header:
Unfortunately for the subscription I get an error message:
Checking the console I see that the same information:
I was expecting that the authentication is checked during http to ws upgrade. I still see the first response
How, is the correct way to implement authenticated GraphQL subscriptions with Quarkus and SmallRye? |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 3 replies
-
/cc @Ladicek (smallrye), @jmartisk (graphql,smallrye), @phillip-kruger (graphql,smallrye), @radcortez (smallrye) |
Beta Was this translation helpful? Give feedback.
-
Authentication is checked already when doing the WS upgrade, and then authorization for specific operations is checked when invoking those operations. If you're getting a data fetching error, it seems the user is authenticated but isn't authorized, but without a full reproducer, I can't tell what exactly is wrong |
Beta Was this translation helpful? Give feedback.
-
Thanks for your answer!
and a minimal configuration for the OIDC-provider (with environment variables). I still face the issue with this code. I can call the query and the mutation sucessfully adding the authorization header in the Quarkus Dev UI with the GraphQL UI Extension. |
Beta Was this translation helpful? Give feedback.
Ok, so I was able to reproduce the problem using the graphiql UI, but it actually works when I do the same using a regular (programmatic) graphql client. For subscriptions, Graphql-ui doesn't seem to be sending the Authorization header that you set in the UI. Looking at the browser's debugging console, it's not there, and that's why it doesn't work. I'm not sure how graphiql is supposed to handle this, but it may be something that we could fix on our side.
The reason it gets through the initial handshake (and creates the websocket connection) is that you only have placed security checks on the GraphQL operations, but not on the Quarkus HTTP server as a whole. But then the websocket channe…