Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Appsync OPENID_CONNECT support? #360

Open
tuomassalo opened this issue Aug 10, 2018 · 4 comments
Open

Appsync OPENID_CONNECT support? #360

tuomassalo opened this issue Aug 10, 2018 · 4 comments

Comments

@tuomassalo
Copy link

I'd like to use AppSync - but with OpenID Connect instead of Cognito. Since I've found no example code anywhere (!), I've been trying to modify this repo for the purpose.

For now, I've done more or less these steps:

  • added this to app-backend/appsync/dynamo/serverless.yml:
authenticationType: OPENID_CONNECT
openIdConnectConfig:
  issuer: https://MYTEST.ngrok.io # running a node-oidc-provider
  authTTL: 3600000
  iatTTL: 3600000
  clientId: # (see below)

const client = new AWSAppSyncClient({
  url: process.env.REACT_APP_GRAPHQL_ENDPOINT,
  region: process.env.REACT_APP_AWS_CLIENT_REGION,
  auth: {
    type: AUTH_TYPE.OPENID_CONNECT,
    jwtToken: async () =>
      'ey...', // an id_token copied manually
  },
});

Now my application sends the token as Authorization: ey... within GraphQL endpoint queries. The GraphQL queries give me errors as follows:

  • If the token is expired or malformed, I get a 401 and a decent error message telling me that.

  • If I have set a value to clientId in AppSync settings, I get a 401:

{
  "errors" : [ {
    "errorType" : "UnauthorizedException",
    "message" : "Unauthorized"
  } ]
}
  • And finally, if I leave clientId empty (or give it the same value as the aud (!) param of my token), I get a 500:
{
  "errors" : [ {
    "errorType" : "InternalFailure"
  } ]
}

Now I'm quite stuck, since the GraphQL endpoint is a black box, and even if I enable AppSync logging, there's nothing informative in CloudWatch logs. My ngrok inspector show that an AWS server makes two (successful) requests to my OIDC test server: one to /certs and another one to /.well-known/openid-configuration.

Any idea what I might be missing? Or, any pointers where to start for using OIDC with AppSync?
@tuomassalo tuomassalo mentioned this issue Aug 10, 2018
Open
@sid88in
Copy link
Contributor

sid88in commented Aug 10, 2018

@tuomassalo you might want to create this issue in serverless-appsync-plugin (more active)

@tuomassalo tuomassalo mentioned this issue Aug 10, 2018
Closed
@shukob
Copy link

shukob commented Oct 10, 2018

I experienced similar problems using custom OIDC provider implementation using node-oidc-provider. I do not know if this is related, but the following settings worked:

        formats: {
            default: 'opaque',
            AccessToken: 'jwt'
        },
        scopes: ['openid', 'offline_access'],
        subjectTypes: ['public', 'pairwise'],
        clientCacheDuration: 1 * 24 * 60 * 60, // 1 day in seconds,
        ttl: {
            AccessToken: 1 * 60 * 60, // 1 hour in seconds
            AuthorizationCode: 10 * 60, // 10 minutes in seconds
            IdToken: 1 * 60 * 60, // 1 hour in seconds
            DeviceCode: 10 * 60, // 10 minutes in seconds
            RefreshToken: 1 * 24 * 60 * 60 // 1 day in seconds
        },
        features: {
            devInteractions: false,
            discovery: true,
            requestUri: true,
            oauthNativeApps: true,
            pkce: true,
            backchannelLogout: true,
            frontchannelLogout: true,
            claimsParameter: true,
            clientCredentials: true,
            encryption: true,
            introspection: true,
            jwtIntrospection: true,
            alwaysIssueRefresh: true,
            registration: false,
            registrationManagement: false,
            request: true,
            revocation: true,
            sessionManagement: false,
            webMessageResponseMode: true // defaults to false
        }

I suspect JWT and pairwise related availability is required.

@maxpastor
Copy link

Anything new on this subject ?
I encounter the same problem and can't find a way to make it work.

@skirang71
Copy link

skirang71 commented Aug 1, 2024
edited
Loading

For anyone who is trying to add autentication as the OPENID_CONNECT. This format worked perfectly for me:

appSync:
authentication:
type: 'OPENID_CONNECT'
config:
issuer: 'https://auth.example.com'
clientId: '5fbc318d-5920-48a8-92ea-20d62d16cc60'

If you want to add multiple authentication modes for the appsync. Examples are provided here by the serverless-appsync-plugin
https://github.com/sid88in/serverless-appsync-plugin/blob/master/doc/authentication.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tuomassalo @shukob @sid88in @maxpastor @skirang71