AEM Headless - GraphQL Query Authentication from Non AEM environment | Community
Skip to main content
R
rakesh_h2
Level 3
June 1, 2023

AEM Headless - GraphQL Query Authentication from Non AEM environment

  • June 1, 2023
  • 2 replies
  • 2709 views

Hi Team,

I'm trying to expose contents in DAM to a third party application via Content Fragments and GraphQL query. I have created queries and persisted it. I have the below questions:

 

1. I would like to know the Authentication token to be passed in the API request

2. The GraphQL query in local instance gives the publish url of an asset like below in the response:

http://localhost:4503/content/dam/my-project/images/image%20(1).png

Would this be the same in graphql response in the prod environment as well?

like https://prod-domain/content/dam/my-project/images/image%20(1).png. If so, would I be able to access the image using that url directly?

 

Thanks,

Rakesh

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

2 replies

iamnjain
Community Advisor
iamnjainCommunity Advisor
Community Advisor
June 1, 2023

Hi @rakesh_h2 

 

By default all the GraphQL queries on publish instance is open for all and does not require authentication. 

You can refer below article to secure the content and add permissions on top of it.

https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/headless/security/permissions.html#publish-service-permissions

 

On second point, yes It will publish domain URL for an asset when you used _publishUrl option in GraphQL query.

Hope this helps! 🙂

    R
    rakesh_h2Author
    Level 3
    June 1, 2023

    Hi @iamnjain ,

    On the second point, when I use the _publishUrl option in the query, I would get something like www.domain/content/dam/<path-to-image> in the query response in publish prod environment. But if I directly put the same url in browser, I get 403 Forbidden. How would I be able to use in the third party application then?

      iamnjain
      Community Advisor
      iamnjainCommunity Advisor
      Community Advisor
      June 1, 2023

      Hi @rakesh_h2 

       

      This seems weird. You mean, you are getting Publish domain with www instead of fully qualified publish domain starting with https?

       

      When I tried on my prod instance, It's giving me correct results. Can you try on some other environment once?

        aanchal-sikka
        Community Advisor
        aanchal-sikkaCommunity Advisor
        Community Advisor
        June 1, 2023

        Hello @rakesh_h2 

         

        The GraphQL endpoints are publicly accessible, but the content that they return depends on user's access.

         

        Example: if one sets up CUG, the results returned will be based on user's session.

         

        For server-to-server authentication, you can use Service Credentials of AEM (Access tokens). Dedicated Service accounts when used with CUG should allow to expose only relevant data

        Aanchal Sikka
          R
          rakesh_h2Author
          Level 3
          June 2, 2023

          @aanchal-sikka Makes sense now.

          So if no CUG is applied for the content which the graphQL query accesses in query, no need of authentication for the API even in prod? The publishUrl of assets returned in the query result in prod would be accessible without any authentication?

            Terms & ConditionsAccessibility statement

            Loading footer...