GraphQL dropping authorization header

Support Installation and Deployment
1

We have a Tyk REST API using OIC as it’s authorization method.
And I have a graphql API.
When using the playground I put in the authorization header, but the debug log shows “Key not authorized”. As best as I can tell Tyk’s GraphQL implementation isn’t passing the header to the API.

Has anyone been successful on using GraphQL and an auth header?

2

Adding some more details… We set up the GraphQL API with the same OIDC auth configuration.
Then on the data source I set header:
Authorization: {{ .request.headers.Authorization }}
per the documentation. I’m getting a different error now:

time="Jul 02 17:26:41" level=warning msg="JWT Invalid" api_id=24067ab67171442c5369d02cbd8bbb53 api_name="Communities Dev" error="Validation error. The 'Authorization' header did not have the correct format." mw=OpenIDMW org_id=5d5edc54fc99b200014228c1 origin= path="/v1/communities/"
time="Jul 02 17:26:41" level=warning msg="Attempted access with invalid key." api_id=24067ab67171442c5369d02cbd8bbb53 api_name="Communities Dev" key="****JWT]" mw=OpenIDMW org_id=5d5edc54fc99b200014228c1 origin= path="/v1/communities/"
3

Hi @ryoung, just to clarify a few things:

  1. Is the OIDC auth working in REST API? If not then you could check the claims of the token
  2. Is the Graph QL implementation based off the REST API and is it trying to pass the OIDC Authorization header value across to the REST API?

Client ==> GraphQL (OIDC auth mode) ==> REST API (OIDC auth mode)

4
  1. Yes, the OIDC is working with the rest API directly.
  2. That’s what I requested it to do. Do I have the correct conifguration for that? The error states the key is not in the correct format.
5

@ryoung Have you tried putting the Bearer prefix in front of the Auth value?

6

After trying a couple of tests with scenario in mind, I do not think it’s possible at this time. The UDG documentation deals with the query and response data
We will be glad if you can point us to anywhere in the docs that mentions request or headers in the data source for review
But as you suggested, Graph QL does not pass the auth header across to REST. I am talking to folks internally to know if there is way to do that
In the meantime, could you explain further on what you are trying to achieve?

7

Thanks for the response.
My configuration was lifted from is on the GraphQL configuration. documentation:

image|690x289

We are trying to pass along authorization headers to the upstream.

8

Appreciate the link and screenshot of the documentation. I will inform the internal team and update you as soon as possible.

Could you share the version of your gateway?

9

Our gateway version is v3.1.2

10

Just got back from the internal team. It appears the feature of injecting or parsing headers is only available from version 3.2.1 and above. Please follow our migration guide to 3.2 as there are some breaking changes

I tested it on the gateway 3.2.1 version and it works quite well. If you are migrating then please take note of the breaking changes as it could cause unforeseen issues.

11

Hi, im having the same issue. Authorization is not passed to the GraphQL. Im sing v4.0.1

Strip auth data is disabled: “strip_auth_data”: false,

If i set it manually in data source it works.

Screenshot 2022-05-31 at 16.16.06
Screenshot 2022-05-31 at 16.16.06925×269 37.5 KB

Any advice how to solve this issue?
Thanks,
Amer

12

Hey @trkich

is there anything in the logs? What’s the error message you’re getting?
In the meantime I’ll try to replicate this on my side in 4.0.1. There was a slight problem with Universal Data Graph in 4.0.1, it was about passing query parameters to REST upstreams, but maybe it’s also affecting headers.

Also - welcome to the community!
Agata

13

Hey @agata-wit, thank you for your warm welcome.

Actually i solved it with Header Forwarding, i did not knew i had to manually set header forwarding.

Its explained here: 6. Header Forwarding

2 Likes