I'd like to use AppSync - but with OpenID Connect instead of Cognito. Since I've found no example code anywhere (!), I've been trying to modify this repo for the purpose.
For now, I've done more or less these steps:
- added this to
app-backend/appsync/dynamo/serverless.yml:
authenticationType: OPENID_CONNECT
openIdConnectConfig:
issuer: https://MYTEST.ngrok.io # running a node-oidc-provider
authTTL: 3600000
iatTTL: 3600000
clientId: # (see below)
const client = new AWSAppSyncClient({
url: process.env.REACT_APP_GRAPHQL_ENDPOINT,
region: process.env.REACT_APP_AWS_CLIENT_REGION,
auth: {
type: AUTH_TYPE.OPENID_CONNECT,
jwtToken: async () =>
'ey...', // an id_token copied manually
},
});
Now my application sends the token as Authorization: ey... within GraphQL endpoint queries. The GraphQL queries give me errors as follows:
-
If the token is expired or malformed, I get a 401 and a decent error message telling me that.
-
If I have set a value to clientId in AppSync settings, I get a 401:
{
"errors" : [ {
"errorType" : "UnauthorizedException",
"message" : "Unauthorized"
} ]
}
- And finally, if I leave
clientId empty (or give it the same value as the aud (!) param of my token), I get a 500:
{
"errors" : [ {
"errorType" : "InternalFailure"
} ]
}
Now I'm quite stuck, since the GraphQL endpoint is a black box, and even if I enable AppSync logging, there's nothing informative in CloudWatch logs. My ngrok inspector show that an AWS server makes two (successful) requests to my OIDC test server: one to /certs and another one to /.well-known/openid-configuration.
Any idea what I might be missing? Or, any pointers where to start for using OIDC with AppSync?
I'd like to use AppSync - but with OpenID Connect instead of Cognito. Since I've found no example code anywhere (!), I've been trying to modify this repo for the purpose.
For now, I've done more or less these steps:
app-backend/appsync/dynamo/serverless.yml:updated
serverless-appsync-pluginto 1.x and fixed some migration stuff as per https://github.com/sid88in/serverless-appsync-plugin#-migration-from-versions-prior-to-10updated most of the modules in
app-client/appsync-client/package.jsondisabled
AmplifyandwithAuthenticatorfrom/Users/naapuri/dev/witchcase/app-client/appsync-client/src/App.js- ** should I not do that?**tried to manually inject an id token:
Now my application sends the token as
Authorization: ey...within GraphQL endpoint queries. The GraphQL queries give me errors as follows:If the token is expired or malformed, I get a 401 and a decent error message telling me that.
If I have set a value to
clientIdin AppSync settings, I get a 401:clientIdempty (or give it the same value as theaud(!) param of my token), I get a 500:Now I'm quite stuck, since the GraphQL endpoint is a black box, and even if I enable AppSync logging, there's nothing informative in CloudWatch logs. My ngrok inspector show that an AWS server makes two (successful) requests to my OIDC test server: one to
/certsand another one to/.well-known/openid-configuration.Any idea what I might be missing? Or, any pointers where to start for using OIDC with AppSync?