serverless
Appsync OPENID_CONNECT support?
I'd like to use AppSync - but with OpenID Connect instead of Cognito. Since I've found no example code anywhere (!), I've been trying to modify this repo for the purpose.
For now, I've done more or less these steps:
- added this to
app-backend/appsync/dynamo/serverless.yml:
authenticationType: OPENID_CONNECT
openIdConnectConfig:
issuer: https://MYTEST.ngrok.io # running a node-oidc-provider
authTTL: 3600000
iatTTL: 3600000
clientId: # (see below)
-
updated
serverless-appsync-pluginto 1.x and fixed some migration stuff as per https://github.com/sid88in/serverless-appsync-plugin#-migration-from-versions-prior-to-10 -
updated most of the modules in
app-client/appsync-client/package.json -
disabled
AmplifyandwithAuthenticatorfrom/Users/naapuri/dev/witchcase/app-client/appsync-client/src/App.js- ** should I not do that?** -
tried to manually inject an id token:
const client = new AWSAppSyncClient({
url: process.env.REACT_APP_GRAPHQL_ENDPOINT,
region: process.env.REACT_APP_AWS_CLIENT_REGION,
auth: {
type: AUTH_TYPE.OPENID_CONNECT,
jwtToken: async () =>
'ey...', // an id_token copied manually
},
});
Now my application sends the token as Authorization: ey... within GraphQL endpoint queries. The GraphQL queries give me errors as follows:
-
If the token is expired or malformed, I get a 401 and a decent error message telling me that.
-
If I have set a value to
clientIdin AppSync settings, I get a 401:
{
"errors" : [ {
"errorType" : "UnauthorizedException",
"message" : "Unauthorized"
} ]
}
- And finally, if I leave
clientIdempty (or give it the same value as theaud(!) param of my token), I get a 500:
{
"errors" : [ {
"errorType" : "InternalFailure"
} ]
}
Now I'm quite stuck, since the GraphQL endpoint is a black box, and even if I enable AppSync logging, there's nothing informative in CloudWatch logs. My ngrok inspector show that an AWS server makes two (successful) requests to my OIDC test server: one to /certs and another one to /.well-known/openid-configuration.
Any idea what I might be missing? Or, any pointers where to start for using OIDC with AppSync?
@tuomassalo you might want to create this issue in serverless-appsync-plugin (more active)
I experienced similar problems using custom OIDC provider implementation using node-oidc-provider. I do not know if this is related, but the following settings worked:
formats: {
default: 'opaque',
AccessToken: 'jwt'
},
scopes: ['openid', 'offline_access'],
subjectTypes: ['public', 'pairwise'],
clientCacheDuration: 1 * 24 * 60 * 60, // 1 day in seconds,
ttl: {
AccessToken: 1 * 60 * 60, // 1 hour in seconds
AuthorizationCode: 10 * 60, // 10 minutes in seconds
IdToken: 1 * 60 * 60, // 1 hour in seconds
DeviceCode: 10 * 60, // 10 minutes in seconds
RefreshToken: 1 * 24 * 60 * 60 // 1 day in seconds
},
features: {
devInteractions: false,
discovery: true,
requestUri: true,
oauthNativeApps: true,
pkce: true,
backchannelLogout: true,
frontchannelLogout: true,
claimsParameter: true,
clientCredentials: true,
encryption: true,
introspection: true,
jwtIntrospection: true,
alwaysIssueRefresh: true,
registration: false,
registrationManagement: false,
request: true,
revocation: true,
sessionManagement: false,
webMessageResponseMode: true // defaults to false
}
I suspect JWT and pairwise related availability is required.
Anything new on this subject ? I encounter the same problem and can't find a way to make it work.
For anyone who is trying to add autentication as the OPENID_CONNECT. This format worked perfectly for me:
appSync: authentication: type: 'OPENID_CONNECT' config: issuer: 'https://auth.example.com' clientId: '5fbc318d-5920-48a8-92ea-20d62d16cc60'
If you want to add multiple authentication modes for the appsync. Examples are provided here by the serverless-appsync-plugin https://github.com/sid88in/serverless-appsync-plugin/blob/master/doc/authentication.md
