docs: Add a few security-related warnings to JWT auth docs (#3299)

Docs-only change, adding a couple of relevant warnings to the JWT auth docs. The "secure your subgraphs" bit is relevant outside of JWT and should probably be sprinkled in a few more places—but is extra important here (since, presumably, without JWT-in-router, subgraphs have their own auth). The warning about headers will be eventually resolved by #3224, but in the meantime it's worth calling out so no one makes a mistake. --------- Co-authored-by: Dylan Anthony <dbanty@users.noreply.github.com> Co-authored-by: Stephen Barlow <barlow.stephen+git@gmail.com>
apollographql · Jun 30, 2023 · 26e7394 · 26e7394
1 parent 30c6c6d
commit 26e7394
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/.changesets/docs_jwt_auth_warnings.md b/.changesets/docs_jwt_auth_warnings.md
@@ -0,0 +1,5 @@
+### Add a few security-related warnings to JWT auth docs ([PR #3299](https://github.com/apollographql/router/pull/3299))
+
+There are a couple potential security pitfalls when leveraging the router for JWT authentication. These are now documented in [the relevant section of the docs](https://www.apollographql.com/docs/router/configuration/authn-jwt). If you are currently using JWT authentication in the router, be sure to [secure your subgraphs](https://www.apollographql.com/docs/federation/building-supergraphs/subgraphs-overview#securing-your-subgraphs) and [use care when propagating headers](https://www.apollographql.com/docs/router/configuration/authn-jwt#example-forwarding-claims-to-subgraphs). 
+
+By [@dbanty](https://github.com/dbanty) in https://github.com/apollographql/router/pull/3299
diff --git a/docs/source/configuration/authn-jwt.mdx b/docs/source/configuration/authn-jwt.mdx
@@ -10,6 +10,8 @@ The Apollo Router supports request authentication and key rotation via the [JSON
 
 By enabling JWT authentication, you can block malicious traffic at the edge of your graph instead of relying on [header forwarding](./header-propagation/) to propagate tokens to your subgraphs.
 
+> ⚠️ Under all circumstances, your subgraphs should be accessible _only_ via the router—not directly by clients. This is especially true if you're relying on JWT authentication in the router. Make sure to [secure your subgraphs](/federation/building-supergraphs/subgraphs-overview/#securing-your-subgraphs).
+
 **To use this feature:**
 
 - You must have an identity provider (**IdP**) or similar service that issues JWTs to authenticated clients using one of the signature algorithms supported by the [jsonwebtoken Rust library](https://crates.io/crates/jsonwebtoken) (most popular signing algorithms are supported).
@@ -183,6 +185,8 @@ fn process_request(request) {
 
 </ExpansionPanel>
 
+> ⚠️ Explicitly listing claims and _always_ setting headers for them is strongly recommended to avoid possible security issues when [forwarding headers](./header-propagation/) to subgraphs.
+
 ### Example: Forwarding claims to subgraphs as GraphQL extensions
 
 Below is an example [Rhai script](../customizations/rhai/) that forwards a JWT's claims to individual subgraphs via GraphQL extension. This enables each subgraph to define logic to handle (or potentially reject) incoming requests based on claim details. This function should be imported and run in your [`main.rhai`](#example-mainrhai) file.