Expand my Community achievements bar.

AEM Headless - GraphQL Query Authentication from Non AEM environment

Avatar

Level 4

Hi Team,

I'm trying to expose contents in DAM to a third party application via Content Fragments and GraphQL query. I have created queries and persisted it. I have the below questions:

 

1. I would like to know the Authentication token to be passed in the API request

2. The GraphQL query in local instance gives the publish url of an asset like below in the response:

http://localhost:4503/content/dam/my-project/images/image%20(1).png

Would this be the same in graphql response in the prod environment as well?

like https://prod-domain/content/dam/my-project/images/image%20(1).png. If so, would I be able to access the image using that url directly?

 

Thanks,

Rakesh

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

12 Replies

Avatar

Community Advisor

Hi @rakesh_h2 

 

By default all the GraphQL queries on publish instance is open for all and does not require authentication. 

You can refer below article to secure the content and add permissions on top of it.

https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/headless/security/p...

 

On second point, yes It will publish domain URL for an asset when you used _publishUrl option in GraphQL query.

Hope this helps!

Avatar

Level 4

Hi @iamnjain ,

On the second point, when I use the _publishUrl option in the query, I would get something like www.domain/content/dam/<path-to-image> in the query response in publish prod environment. But if I directly put the same url in browser, I get 403 Forbidden. How would I be able to use in the third party application then?

Avatar

Community Advisor

Hi @rakesh_h2 

 

This seems weird. You mean, you are getting Publish domain with www instead of fully qualified publish domain starting with https?

 

When I tried on my prod instance, It's giving me correct results. Can you try on some other environment once?

Avatar

Level 4

Hi @iamnjain ,

When I tried in other environments, I get

"img": {
"altText": "Image Alt text",
"ariaLabel": "Image Alt text",
"mobileImage": {
"_path": "/content/dam/my-project/images/image (1).png",
"_authorUrl": "http://localhost:4502/content/dam/my-project/images/image%20(1).png",
"_publishUrl": "http://localhost:4503/content/dam/my-project/images/image%20(1).png",
"width": 396,
"height": 220
},

If I try in dev environment, I get a publish url for the image which is directly accessible in browser (without any authentication. meaning if I hit the url in browser, the image would get downloaded). But what I get in prod environment is not accessible in browser.

Avatar

Level 4

@iamnjain , Could you pls provide your fully qualified publish domain url. You can mask sensitive data. Just wanted to see the structure.

Avatar

Community Advisor

Sure! I am using this in Query

imagePath {
... on ImageRef {
_path
_publishUrl
}

 

In response, I am getting 

"imagePath": {
"_path": "/content/dam/{path_to_image}",
"_publishUrl": "https://domain.com/content/dam/{path_to_image}"
}

Which is accessible over internet.

 

I can think of two possibilities in your case, 

1. Are you able to access other images over Prod publish domain if you try manually any other image?

2. Publish URL configured properly on Prod Instance, less likely.

Avatar

Level 4

Hi @iamnjain ,

On the first point, when I publish my GraphQL query in prod publish, I can access it from an external application without any authentication?

Avatar

Community Advisor

Yes, that's mentioned on Adobe documentation which I attached on earlier reply. You can refer that and to enable authentication. By default, It will be open for all.

Avatar

Community Advisor

Hello @rakesh_h2 

 

The GraphQL endpoints are publicly accessible, but the content that they return depends on user's access.

 

Example: if one sets up CUG, the results returned will be based on user's session.

 

For server-to-server authentication, you can use Service Credentials of AEM (Access tokens). Dedicated Service accounts when used with CUG should allow to expose only relevant data


Aanchal Sikka

Avatar

Level 4

@aanchal-sikka Makes sense now.

So if no CUG is applied for the content which the graphQL query accesses in query, no need of authentication for the API even in prod? The publishUrl of assets returned in the query result in prod would be accessible without any authentication?