0

I am using AWS AppSync with keycloak as the OIDC provider and left the clientID blanked. This means that I can generate an access token using any clientId and client secret and start making requests (query or mutation) to my AppSync GraphQL endpoint.

However, I have to ask...how do I define fine grained access control with the scopes in the jwt token. I don't really understand what benefit this authorisation flow provides apart from just leveraging existing clients previously setup in keycloak or any other oidc providers.

So...what's the real benefit of using oidc auth for AppSync? Am I missing anything important here? Any feedback appreciated!

Thankyou!

johnwick0831
  • 918
  • 1
  • 12
  • 24

1 Answers1

0

You get access to the OIDC claims in the $ctx.identity.claims map within the resolver mapping templates which you can basically use to do your fine grained access control logic. Imagine if you have a groups claim meaning your user belongs to a group such as Admin then you can write custom logic in your mapping template based on that.

Here is an example of how to do this (it uses Cognito but OIDC should be pretty similar).

https://adrianhall.github.io/cloud/2018/06/01/how-developers-can-auth-with-aws-appsync/

Ionut Trestian
  • 5,473
  • 2
  • 20
  • 29
  • Would you be able to explain whether what you suggested is enough? I see some people using Cognito User Pools and Identity Pools? What are the advantages of using Cognito over just OIDC? – johnwick0831 Feb 13 '20 at 06:04
  • Cognito at the basis of it is an OIDC provider. Meaning, it provides JWT tokens that contain claims. In AppSync, you can get access in your resolver code to both claims coming from an OIDC provider or from a user pool. AppSync has a tighter integration with User Pools in the sense that AppSync provides directives where you can specify the group claim as a parameter. See here. https://docs.aws.amazon.com/appsync/latest/devguide/security.html#amazon-cognito-user-pools-authorization – Ionut Trestian Feb 13 '20 at 18:15
  • Here is one of my older answers about differences between user pools and identity pools. https://stackoverflow.com/questions/46334431/aws-service-difference-between-cognito-user-pool-and-federated-identity/46334512#46334512 – Ionut Trestian Feb 13 '20 at 18:16
  • @Inout Trestian, is it possible to get all my users from my IDP imported to Cognito user pools and have their claims mapped to User pools groups etc? The confusion for me here is that if I can use OIDC then what's the point of using User Pools OIDC ? – johnwick0831 Feb 15 '20 at 00:08