7

My service requires user groups for authorising access to data.

Group authorization examples in AppSync documentation are based on User Pool claims. I'm using IAM authentication so $context.identity doesn't include claims or any similar information.

See, for example, topic "Use Case: Group Can Create New Record" in: https://docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html

#set($expression = "")
#set($expressionValues = {})
#foreach($group in $context.identity.claims.get("cognito:groups"))
    #set( $expression = "${expression} contains(groupsCanAccess, :var$foreach.count )" )
    #set( $val = {})
    #set( $test = $val.put("S", $group))
    #set( $values = $expressionValues.put(":var$foreach.count", $val))
    #if ( $foreach.hasNext )
    #set( $expression = "${expression} OR" )
    #end
#end
{
    "version" : "2017-02-28",
    "operation" : "PutItem",
    "key" : {
        ## If your table's hash key is not named 'id', update it here. **
        "id" : { "S" : "$context.arguments.id" }
        ## If your table has a sort key, add it as an item here. **
    },
    "attributeValues" : {
        ## Add an item for each field you would like to store to Amazon DynamoDB. **
        "title" : { "S" : "${context.arguments.title}" },
        "content": { "S" : "${context.arguments.content}" },
        "owner": {"S": "${context.identity.username}" }
    },
    "condition" : {
        "expression": "attribute_not_exists(id) OR $expression",
        "expressionValues": $utils.toJson($expressionValues)
    }
}

I would expect to just check from User table whether the user is in a group that grants this permission. However, DynamoDB conditions don't seem to support querying other tables.

Lindlof
  • 2,152
  • 2
  • 17
  • 26
  • Perhaps the only way to achieve proper authorization at the moment, when using IAM authentication, is using Lambda data source. That is disappointing. I hope there will soon be progress in this area. – Lindlof Apr 30 '18 at 23:04
  • If you are using Cognito user pools for group information, you can use IAM auth and also can pass the JWT token to the API that will be preserved in the header in which case you will have access to group information. Have a look at the following change merged into the Amplify library (considering that is what you are using): https://github.com/awslabs/aws-mobile-appsync-sdk-js/pull/121 – Ionut Trestian May 14 '18 at 22:32
  • any luck with this Mikael? I am facing similar kind of problem. – Jeet Chhatrala Apr 23 '21 at 20:46
  • did anyone solve that issue? – demsey May 30 '21 at 12:02

1 Answers1

0

Today i'm using something similar to your requirement. For that I add a custom header in the amplify request with the JWT token from Cognito User Pool. In my case, I parse the JWT inside a lambda resolver. For your case, you'll need to parse the JWT token in the frontend and send it parsed (and encoded) in the custom header. Inside your resolver you can decode the header value and extract the groups from the claims.

Gustavo Tavares
  • 2,579
  • 15
  • 29