add notices in jwt docs regarding audience check (#2557)

- also update firebase sample-app README with correct JWT conf
hasura · Jul 16, 2019 · a3e7a20 · a3e7a20
1 parent 71e2b45
commit a3e7a20
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/community/sample-apps/firebase-jwt/README.md b/community/sample-apps/firebase-jwt/README.md
@@ -52,7 +52,7 @@ HASURA_GRAPHQL_ADMIN_SECRET : youradminsecretkey
 ```
 
 ```
-HASURA_GRAPHQL_JWT_SECRET: {"type":"RS512", "jwk_url": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com"}
+HASURA_GRAPHQL_JWT_SECRET: {"type":"RS256", "jwk_url": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com", "audience": "<firebase-project-id>", "issuer": "https://securetoken.google.com/<firebase-project-id>"}
 ```
 
 ## Sending JWT to Hasura

diff --git a/docs/graphql/manual/auth/authentication/jwt.rst b/docs/graphql/manual/auth/authentication/jwt.rst
@@ -264,6 +264,18 @@ or
    }
 
 
+.. admonition:: Important!
+
+   Certain JWT providers share JWKs between multiple tenants. They use the
+   ``aud`` claim of JWT to specify the intended audience for the JWT. Setting
+   the ``audience`` field in the Hasura JWT configuration will make sure that
+   the ``aud`` claim from the JWT is also checked during verification. Not doing
+   this check will allow JWTs issued for other tenants to be valid as well.
+
+   In these cases, you **MUST** set the ``audience`` field to appropriate value.
+   Failing to do is a major security vulnerability.
+
+
 ``issuer``
 ^^^^^^^^^^
 This is an optional field. It takes a string value.
@@ -284,6 +296,11 @@ Examples:
      "issuer": "https://my-auth-server.com"
    }
 
+.. note::
+
+   Certain providers require you to verify the ``iss`` claim on the JWT. To do
+   that you can set this field to the appropriate value.
+
 
 
 Examples
@@ -363,6 +380,16 @@ Using env vars:
       serve
 
 
+Security considerations
+-----------------------
+
+Setting audience check
+^^^^^^^^^^^^^^^^^^^^^^
+Certain JWT providers share JWKs between multiple tenants (like Firebase). They use the ``aud`` claim of JWT to specify the intended tenant for the JWT. Setting the ``audience`` field in the Hasura JWT configuration will make sure that the ``aud`` claim from the JWT is also checked during verification. Not doing this check will allow JWTs issued for other tenants to be valid as well.
+
+In these cases, you **MUST** set the ``audience`` field to appropriate value. Failing to do is a major security vulnerability.
+
+
 Popular providers and known issues
 ----------------------------------
-Original file line number
+Diff line change
@@ Expand Up / @@ -52,7 +52,7 @@ HASURA_GRAPHQL_ADMIN_SECRET : youradminsecretkey @@
     ```
     ```
-    HASURA_GRAPHQL_JWT_SECRET: {"type":"RS512", "jwk_url": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com"}
+    HASURA_GRAPHQL_JWT_SECRET: {"type":"RS256", "jwk_url": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com", "audience": "<firebase-project-id>", "issuer": "https://securetoken.google.com/<firebase-project-id>"}
     ```
     ## Sending JWT to Hasura
@@ Expand Down @@