graphql-engine v3: support toggling switch of auth mode based on JWT issuer

[andytson-arsenal]

Component

c/v3-engine

Is your proposal related to a problem?

Not exactly a problem, but abstraction without having to configure every app to use different X-Hasura-Auth-Mode.

If I want to move a webhook auth mode that's currently the default to an alternative auth mode to make anonymous access more efficient when no Authorization header is supplied, then I have to make every client implementation requiring authn/z send a X-Hasura-Auth-Mode header.

Describe the solution you'd like

AuthConfig to support a setting for each alternativeMode to specify a issuer match (and for webhook mode tokenLocation configuration for this). No JWT validation is required at this level as will be performed at the relevant mode level once matched.

if a token at the tokenLocation with that issuer is matched, then that alternativeMode is used. Fallback on no match is the default auth mode.

This would also allow support for multiple JWT identity providers seamlessly.

Describe alternatives you've considered

Specifying X-Hasura-Auth-Mode for each required webhook mode use, but hence the problem described.

[robertjdominguez]

Same note as #10772, @andytson-arsenal 👍

[Kashish3009]

@andytson-arsenal we have opened a support request in order to track this issue. Let's engage on the ticket and move ahead accordingly.