- Hasura Platform
- Getting started
- Installing the Hasura CLI
- The complete tutorial
- GraphQL tutorial
- Hasura project
- Hasura cluster
- Project microservices
- API Console
- Auth
- Data (GraphQL/JSON APIs)
- Filestore
- Notify (Sending emails/SMS)
- Postgres
- API gateway
- Hasura Hub
- Hasura CLI reference
- Hasura API reference
- Guides
- Installing Hasura on a Kubernetes Cluster
- Hasura architecture
- Billing for Hasura
- Moving to v0.16 from v0.15
- Moving to v0.15 from older versions
Github authentication¶
Setup¶
Web apps¶
For web apps using Github, we have to use the “Authorization Code” grant process (or the traditional web server process) as Github doesn’t support the `implicit grant process`_. So this process needs a backend server to handle intermediate requests.
Overview¶
First, you have setup and configure your Github application. Then, you have to make a request to the Github API for an “authorization code”, specifying a “Redirect URI” (which is basically a URL to your application). Github would respond to this “Redirect URI” with the “authorization code”. Your backend application has to parse the authorization code and make one more request to the Github API. This final API call will return an access token in the response. Your application should now validate the access token by passing it to a Hasura auth endpoint. Hasura will validate the token, and will login the user (if the user is seen for the first time then Hasura will also create the user).
Pre-requisites¶
- Register an application with Github, obtain the client ID and client secret.
- Go to https://github.com/settings/developers and on top right and click on “Register a new application” to create a new application. Fill the following form that appears to create your application.
- In the form, you have to add “Authorized Redirect URLs”. This is where you will put your application’s endpoint/URL which will receive the authorization code.
- Now you should see your application’s settings page, which also lists the client ID and secret. Copy and keep them safe.
Configuration¶
- Now you need to configure Hasura auth to tell it to use these credentials.
- To configure, go to the conf/auth.yaml file inside your Hasura project.
- Under
github, set theclientId.
Note
The github key might be commented out. Make sure to uncomment it.
github:
clientId: "String"
clientSecret:
secretKeyRef:
key: auth.github.client_secret
name: hasura-secrets
clientId: The client ID obtained when creating the application.
clientSecret: The client secret obtained when creating the application. As you see in the above code snippet, the client secret is a reference to a hasura project secret called
auth.github.client_secret. To add your client secret tohasura project secrets, run the following command from your project directory.$ hasura secret update auth.github.client_secret
The process¶
Redirect the browser (full page or popup) to
https://github.com/login/oauth/authorizewith the following set of query parameters. Please note that you have to make the browser redirect to this URL and not make AJAX calls. The following parameters are mandatory:client_id: The client ID you obtain from your Github application settings.scope: Permissions that your application needs. Set this touser:email.redirect_uri: Theredirect_urivalue you have already setup (from Step 2 in pre-requisites).state: A unique string value of your choice that is hard to guess. Used to prevent CSRF.
For example:
https://github.com/login/oauth/authorize? scope=user:email& redirect_uri=https%3A%2F%2Foauth2.example.com%2Foauthcallback& client_id=812741506391& state=DgkRrHXmyu3KLd0KDdfq
The documentation (in detail) for this can be found here: https://developer.github.com/v3/oauth/.
Github will handle the authentication, and if the user has granted permission for your app, it will redirect back to the “Redirect URI” with the authorization code as
codein the URL query string.Now your application has to parse the URL and retrieve the authorization code.
Once the
codeis obtained, send thecodeto Hasura Auth microservice:
POST auth.<cluster-name>.hasura-app.io/v1/login HTTP/1.1
Content-Type: application/json
{
"provider" : "github",
"data" : {
"code": "String",
"redirect_uri": "String (optional)",
"state": "String"
}
}
- If successful, this will return a response as follows:
HTTP/1.1 200 OK
Content-Type: application/json
{
"auth_token": "b4b345f980ai4acua671ac7r1c37f285f8f62e29f5090306",
"hasura_id": 79,
"new_user": true,
"hasura_roles": [
"user"
]
}
- If the user is a new user,
new_userwill be true, else false. - To check if the current user is logged in, make a call to:
/v1/user/info. - To logout, make a call to
/v1/user/logout. - To get Hasura credentials of current logged in user,
/v1/user/info.
