Expand my Community achievements bar.

Radically easy to access on brand approved content for distribution and omnichannel performant delivery. AEM Assets Content Hub and Dynamic Media with OpenAPI capabilities is now GA.
Learn More
SOLVED

How to restrict GraphQL endpoint on Publish side with users unknown

Avatar

Level 3
Level 3
4/19/23 12:35:11 PM

Hi all,

 

I have gone through all the forum posts, and documentation related to Authentication, CUG and all related to GraphQL Endpoint. But my case here is, is it possible for restricting the users to be able to access only a certain GraphQL endpoint and not any other one.? Here the situation is, we are unsure of the users and the application is facing public users(means no login for the system to establish a CUG based on the users). Or would that make sense by restricting the system itself ? Not sure if this works, but open to your thoughts. By the way, we are on AEC. 

 

Thanks,
Arvind

 

Views

833

Replies

6
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 3
Level 3
1/30/24 7:56:32 PM

@kautuk_sahni - here you go with the details.

 

For establishing authentication on Publish end where we will expose data to the systems, when the systems hit the GraphQL end point. Below mentioned are the steps involved, sequentially as-is, for CUG Implementation.

1. Create a custom folder under "/content/dam", and can create any sample content fragments under that folder.

2. Create a custom user group local to AEM instance, push it through repo-init config, on Author and Publish. We have only Author repo-init configuration in the beginning. So, for this need, we added a repo-init config for Publish as well.
Example code for both Author and Publish:
create group <custom_group> with path /home/groups/xyz/

3. Apply permissions to this custom group only on Publish side, so it has access to custom folder that holds the CF data for that respective need. Example code: 

 

set ACL for <custom_group>
remove * on /content/dam/<custom_folder>
##Permissions for <custom_group> group
allow jcr:all on /content/dam/<custom_folder>
allow jcr:all on /conf/<cf_model_config_folder>
allow jcr:all on /content/cq:graphql/<endpoint>
end​

4. Remove read permissions from everyone group, for that respective custom folder so it doesn’t expose that data to “everyone” through GraphQL. Example: 

 

set ACL for everyone
remove * on /content/dam/<custom_folder> 
##Deny Rules of everyone
deny jcr:all on /content/dam/<custom_folder>
end​

5. Add the above sample code from Step 2-4 in repoinit config on Publish side, where all the restriction is needed.

6. Create a technical service user account from AdminConsole for the respective environment.

7. This will now show up in AEM Author Users console. Add the custom group that was created through repo-init to the user and Publish the User.

8. Now generate an Access Token or JWT-Token for hitting the GraphQL endpoint to validate the authentication.

9. User the generated Access Token in the above step to establish authentication via Postman of type “Bearer token” and we should see a response.

View solution in original post

Views

358

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
6 Replies

Avatar

Level 6
Level 6
4/21/23 1:00:42 AM

Hi Arvind,

GraphQL endpoit can be restricted so that it can be accessed by only legitimate users. First you deny access to that particular endpoint for all and then then enable the access for a particular user. 

 

Assuming you are consuming the headless content by another application . You will not be able to access the endpoint anonymously now on. You need to pass configured user authentication details to access the endpoint. Hope this helps.

 

Thanks,

Somen

Views

779

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
5/3/23 12:21:52 PM
In response to somen-sarkar

Thanks @somen-sarkar .. Theoretically you are right. the CUG has also been a hiccup here. The permissions have been messing up the folder access on Publish side and thats the one holding up the CF content. Reached out to Adobe, should see how that goes. 

Views

721

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
6/5/23 2:29:27 PM
In response to somen-sarkar

@somen-sarkar  - Just so to post an update to you, CUG is an existing issue with AEM currently. Reported to Adobe support team and they are able to replicate that and investigating it.

Views

659

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Administrator
Administrator
1/18/24 3:11:11 AM

@arvindk091986 Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni

Views

424

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
1/18/24 5:59:19 AM
In response to kautuk_sahni

I have the details, will post it shortly. AEM Engineering team shared a few set of steps that needs to go as-is mentioned. @kautuk_sahni 

Views

411

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 3
Level 3
1/30/24 7:56:32 PM

@kautuk_sahni - here you go with the details.

 

For establishing authentication on Publish end where we will expose data to the systems, when the systems hit the GraphQL end point. Below mentioned are the steps involved, sequentially as-is, for CUG Implementation.

1. Create a custom folder under "/content/dam", and can create any sample content fragments under that folder.

2. Create a custom user group local to AEM instance, push it through repo-init config, on Author and Publish. We have only Author repo-init configuration in the beginning. So, for this need, we added a repo-init config for Publish as well.
Example code for both Author and Publish:
create group <custom_group> with path /home/groups/xyz/

3. Apply permissions to this custom group only on Publish side, so it has access to custom folder that holds the CF data for that respective need. Example code: 

 

set ACL for <custom_group>
remove * on /content/dam/<custom_folder>
##Permissions for <custom_group> group
allow jcr:all on /content/dam/<custom_folder>
allow jcr:all on /conf/<cf_model_config_folder>
allow jcr:all on /content/cq:graphql/<endpoint>
end​

4. Remove read permissions from everyone group, for that respective custom folder so it doesn’t expose that data to “everyone” through GraphQL. Example: 

 

set ACL for everyone
remove * on /content/dam/<custom_folder> 
##Deny Rules of everyone
deny jcr:all on /content/dam/<custom_folder>
end​

5. Add the above sample code from Step 2-4 in repoinit config on Publish side, where all the restriction is needed.

6. Create a technical service user account from AdminConsole for the respective environment.

7. This will now show up in AEM Author Users console. Add the custom group that was created through repo-init to the user and Publish the User.

8. Now generate an Access Token or JWT-Token for hitting the GraphQL endpoint to validate the authentication.

9. User the generated Access Token in the above step to establish authentication via Postman of type “Bearer token” and we should see a response.

Views

359

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
How to fetch multifield item's content from the below JSON in junits Solved

Views

75

Likes

0

Replies

3
Approach for PDP page along with SSR for caching purpose Solved

Views

72

Likes

0

Replies

2
How to access aem API for outside user . Solved

Views

118

Likes

0

Replies

3
How can I add localized descriptions to tags in the Tagging Edit page in AEM Solved

Views

83

Likes

0

Replies

3
Context Aware Config Issue | Page reloads on initial selection of Path Browser, preventing value selection

Views

42

Likes

0

Replies

1