aws-appsync-community icon indicating copy to clipboard operation
aws-appsync-community copied to clipboard

Published 20 hours ago verified publisher icon aws

Restricting to given client ID with Auth0 (OpenID Connect mode)

Open tyroneerasmus opened this issue 4 years ago • 9 comments

When using the OpenID Connect authorization mode, I can not restrict it to a particular Client ID. All examples I have seen online seem to suggest the same, people leave the Client ID blank (which then allows access from any client on the given issuer).

image

My Auth0 client's ID is 32 characters long and I get it to successfully authenticate if I set the Client ID field to the following regex: .{32} (or leave it blank of course)

However, any attempt to further lock it down to a particular client just gives me:

{
  "errors" : [ {
    "errorType" : "UnauthorizedException",
    "message" : "Unauthorized"
  } ]
}

Any ideas on what could be causing this?

tyroneerasmus avatar Jun 11 '20 10:06 tyroneerasmus

Thanks @tyroneerasmus for raising this issue. We've had this issue floating around for a while too. We couldn't get to the bottom of this either. This has meant that we have to be very careful how we treat our development and production auth applications. Because we cannot lock our production AppSync to the production auth application we have to treat our development auth application as production and restrict developers from making changes to it. This has resulted in a bottleneck of developers requesting changes to our dev auth application rather than being free to make these changes themselves. Would be great if we could get this working!

alextriaca avatar Jun 12 '20 07:06 alextriaca

I just ran in to this issue as well - it cost me a few hours trying to debug my setup. Never would have guessed that removing the Client ID would be the solution. It would be great to have this corrected.

jwrubel avatar Jan 04 '21 22:01 jwrubel

I can confirm that this is still a problem and doesn't seem to work at all.

My resolver receives the correct client ID (of an Auth0 application) in the azp claim, but trying to restrict that ID in AppSync makes the API unusable (401).

mlafeldt avatar Feb 15 '21 21:02 mlafeldt

Got word from an AppSync product manager that they're aware of the issue. There will be a fix at some point.

mlafeldt avatar Feb 17 '21 10:02 mlafeldt

Same here, we ran into this yesterday again when trying to login with the auth0 sdk. What's strange is, that when I use the oauth2 login from retool (https://docs.retool.com/docs/api-authentication#oauth-20) the access token works with clientID set in appsync.

p0wl avatar Feb 17 '21 10:02 p0wl

Try using the idToken that comes from your OIDC third-party provider. With Okta, the idToken worked even when specifying the Client ID, while the accessToken did not. I tested this in the AppSync console with direct queries, Postman, and inside an app with DataStore.query()

brienpafford avatar Mar 18 '21 21:03 brienpafford

I've got the same issue with FusionAuth. I can authenticate and get back both an access_token and id_token. I've tried using both in the Authorization header + setting the "Client ID" setting in AppSync... still returns an error

{
  "errors" : [ {
    "errorType" : "UnauthorizedException",
    "message" : "Unauthorized"
  } ]
}

jakejscott avatar Nov 19 '21 19:11 jakejscott

Any update on this ? would it be fixed? it is still an issue

andreadammino avatar Dec 08 '21 18:12 andreadammino

it's still same on May,2022. Using client id from Auth0 to AppSync will result a 401

MohiuddinSumon avatar May 23 '22 14:05 MohiuddinSumon

We have fixed this issue and updated AppSync doc accordingly. Please feel free to open new issue if you still have issue.

yashpatel6892 avatar Aug 31 '22 22:08 yashpatel6892