Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!

AEM Headless - GraphQL Query Authentication from Non AEM environment

Avatar

Level 4
Level 4
6/1/23 3:20:58 AM

Hi Team,

I'm trying to expose contents in DAM to a third party application via Content Fragments and GraphQL query. I have created queries and persisted it. I have the below questions:

 

1. I would like to know the Authentication token to be passed in the API request

2. The GraphQL query in local instance gives the publish url of an asset like below in the response:

http://localhost:4503/content/dam/my-project/images/image%20(1).png

Would this be the same in graphql response in the prod environment as well?

like https://prod-domain/content/dam/my-project/images/image%20(1).png. If so, would I be able to access the image using that url directly?

 

Thanks,

Rakesh

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Content Fragments

Views

1.5K

Replies

12
Sign in to like this content

Total Likes

Translate
Translate
12 Replies

Avatar

Community Advisor
Community Advisor
6/1/23 4:45:46 AM

Hi @rakesh_h2 

 

By default all the GraphQL queries on publish instance is open for all and does not require authentication. 

You can refer below article to secure the content and add permissions on top of it.

https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/headless/security/p...

 

On second point, yes It will publish domain URL for an asset when you used _publishUrl option in GraphQL query.

Hope this helps!

Views

1.5K

Replies

9
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
6/1/23 5:09:31 AM
In response to iamnjain

Hi @iamnjain ,

On the second point, when I use the _publishUrl option in the query, I would get something like www.domain/content/dam/<path-to-image> in the query response in publish prod environment. But if I directly put the same url in browser, I get 403 Forbidden. How would I be able to use in the third party application then?

Views

1.5K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
6/1/23 5:15:48 AM
In response to rakesh_h2

Hi @rakesh_h2 

 

This seems weird. You mean, you are getting Publish domain with www instead of fully qualified publish domain starting with https?

 

When I tried on my prod instance, It's giving me correct results. Can you try on some other environment once?

Views

1.5K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
6/1/23 5:23:50 AM
In response to iamnjain

Hi @iamnjain ,

When I tried in other environments, I get

"img": {
"altText": "Image Alt text",
"ariaLabel": "Image Alt text",
"mobileImage": {
"_path": "/content/dam/my-project/images/image (1).png",
"_authorUrl": "http://localhost:4502/content/dam/my-project/images/image%20(1).png",
"_publishUrl": "http://localhost:4503/content/dam/my-project/images/image%20(1).png",
"width": 396,
"height": 220
},

If I try in dev environment, I get a publish url for the image which is directly accessible in browser (without any authentication. meaning if I hit the url in browser, the image would get downloaded). But what I get in prod environment is not accessible in browser.

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
6/1/23 5:32:22 AM
In response to iamnjain

@iamnjain , Could you pls provide your fully qualified publish domain url. You can mask sensitive data. Just wanted to see the structure.

Views

1.5K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
6/1/23 5:39:36 AM
In response to rakesh_h2

Sure! I am using this in Query

imagePath {
... on ImageRef {
_path
_publishUrl
}

 

In response, I am getting 

"imagePath": {
"_path": "/content/dam/{path_to_image}",
"_publishUrl": "https://domain.com/content/dam/{path_to_image}"
}

Which is accessible over internet.

 

I can think of two possibilities in your case, 

1. Are you able to access other images over Prod publish domain if you try manually any other image?

2. Publish URL configured properly on Prod Instance, less likely.

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
6/1/23 5:27:21 AM
In response to iamnjain

Hi @iamnjain ,

On the first point, when I publish my GraphQL query in prod publish, I can access it from an external application without any authentication?

Views

1.5K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
6/1/23 5:35:14 AM
In response to rakesh_h2

Yes, that's mentioned on Adobe documentation which I attached on earlier reply. You can refer that and to enable authentication. By default, It will be open for all.

Views

1.5K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
6/1/23 11:42:02 AM

Hello @rakesh_h2 

 

The GraphQL endpoints are publicly accessible, but the content that they return depends on user's access.

 

Example: if one sets up CUG, the results returned will be based on user's session.

 

For server-to-server authentication, you can use Service Credentials of AEM (Access tokens). Dedicated Service accounts when used with CUG should allow to expose only relevant data

Aanchal Sikka

Views

1.4K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
6/2/23 12:04:44 AM
In response to aanchal-sikka

@aanchal-sikka Makes sense now.

So if no CUG is applied for the content which the graphQL query accesses in query, no need of authentication for the API even in prod? The publishUrl of assets returned in the query result in prod would be accessible without any authentication?

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Rejection flow in AEM translation Project

Views

32

Likes

0

Replies

0
Adobe Developers Live, November 2024, On-Demand Session | Orchestrating Commerce APIs for headless implementations

Views

33

Likes

0

Replies

0
Adobe Developers Live, November 2024, On-Demand Session | Energizing Adobe Commerce with AEM Assets and Gen AI

Views

35

Likes

0

Replies

0
Adobe Developers Live, November 2024, On-Demand Session | CDN & WAF configuration in AEM Cloud Service

Views

36

Likes

0

Replies

0
Use of AEM instead of standalone Apache Sling and Karaf approach

Views

67

Likes

0

Replies

0