Adobe Experience Manager Sites & More

AvinashKu4 · 2/19/25

Request for Feature Enhancement (RFE) Summary:	We should have an improved way of authentication and authorization of GraphQL endpoint.In the current design, even unauthenticated or improperly authenticated requests are allowed to hit the endpoint with 200 response code. Instead we should have 401 or 403 response code with proper messages.
Use-case:	If we are doing any implementation on basis of response code the current implementation will not work as it will always giving 200 as response code.
Current/Experienced Behavior:	In the current design, even unauthenticated or improperly authenticated requests are allowed to hit the endpoint with 200 response code.
Improved/Expected Behavior:	If access token is not correct or request is unauthenticated then we should have 401 or 403 response code with proper error messages.
Environment Details (AEM version/service pack, any other specifics if applicable):	AEM as SaaS
Customer-name/Organization name:
Screenshot (if applicable):
Code package (if applicable):

Uppari_Ramesh · 2/20/25

@AvinashKu4 @kautuk_sahni I agree on this. This is the biggest problem with GraphQl. Even when you query for the fragment which is not present in system it always gives 200 response. Whatever you do it always gives 200 response. Graphql endpoint should handle the response codes properly.

Jörg_Hoh · 2/21/25

In your opinion what should the factor for the authorization? When you put authorization on the graphql endpoint, you can or cannot execute graphql queries; but you cannot limit that a user can only execute one type of query, but not a different one.

AvinashKu4 · 2/24/25

Hi @Jörg_Hoh ,

Thank you for your response!

We want to clarify that if a user attempts to access the GraphQL endpoint with an incorrect or missing authorization token, they should not receive a 200 OK response with an empty body. Instead, they should receive a 401 Unauthorized or 403 Forbidden status.

In our case, we are using JWT tokens for authorization.

Our intention is not to restrict users from running different types of queries. Once a user is authorized, they should be able to execute any query.

Jörg_Hoh · 2/24/25

Hi,

that should be fairly easy with the existing tooling, because you just need to enforce authentication for that access. That means, that every user needs to be authenticated, on the authorization level you need just a simple group ("authenticated user"), where every user is member of.

And then configure Closed User Groups on the graphql endpoint, with the requirement to be part of that "authenticated user" group.

AvinashKu4 · 2/24/25

Hi @Jörg_Hoh ,

We are already having Closed User Groups on the graphql endpoint, but issue is, user is authenticated but when authorization(JWT) code is incorrect or blank at that point we are not getting 401 or any error message in body.

In that case we are always getting 200 code with empty body, in that case we are not able to distinguished when token is incorrect and when there is no content to fetch.