Login/Register
AWS AppSync Authorization
Asked Answered
Solved amazon-web-serviceslambdagraphqlgraphql-subscriptionsaws-appsync
V

1

8

I'm planning to use AWS Appsync to migrate a graphQL endpoint in a lambda function, which is being triggered by a POST via the API Gateway. I'm looking into AppSync mainly because of the subscriptions, which I can't create using a Lambda function.

My Authentication mechanism is based on Auth0, using passwordless, and my authorization mechanism in based on the data from several tables in DynamoDB and it's embedded in the graphQL resolvers, as recommended by Facebook and Apollo.

What is more, it is based on every part of the request, which includes checking permission to invoke the query/mutation, and after that, the different entities included in the query, as the appropriate resolvers are being fired.

As far as I can see, this is far away from being possible in AWS AppSync, as it enforces using Cognito. Maybe some kind of custom authorizer, like in the API Gateway could do the work, but it's still uncertain, because it needs to be executed many times during the graphQL request resolution (remember, one per nested object apart from the initial operation check).

Maybe I can make a workaround regarding the subscriptions using notifications and refresh the queries, but I'll have to look into that as well.

Anyone else with this problem too? How do you plan to, or have solved it?

Any help will be much appreciated

Carlos

Virtu answered 24/1, 2018 at 22:13 Comment(0)
P
7

At this point AppSync supports AuthZ checks using the metadata in the resource you are querying, or you can pass through the data and check it in the resolver. For instance you can store authorization metadata on the DynamoDB table and check it and then return data, but you cannot check a separate data source. However there will be more auth methods opened up in the future as AppSync is still not GA.

In the meantime some options:

  • Use Lambda as your resolver and do your AuthZ check there before reading/writing to DynamoDB

  • Federate your Auth0 identity with AWS IAM and use those credentials in the resolver as a check. AppSync supports these credentials.

  • Check the JWT claims in the resolver that you pass through for your AuthZ check. You can use $context.identity.claims.attrib� in the Velocity language for this.

Please keep checking the AppSync documentation page in the coming months as the service evolves for more options here.

EDIT There is now a guide in the documentation for AppSync authorization scenarios and use cases: https://docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html

EDIT #2 There is a new blog post for using multiple data sources with your resolvers for advanced authorization scenarios: https://hackernoon.com/graphql-authorization-with-multiple-data-sources-using-aws-appsync-dfae2e350bf2

Perfectible answered 25/1, 2018 at 1:58 Comment(5)
Thanks @Richard, I have considered these options, being the most feasible solution using a lambda as a resolver, which would be much more expensive, because it would need N+1 lambda executions and DynamoDB calls only for the authorization, being N the number of nested objects in the query. Of course I'll be checking AppSync regularly, but you have to solve the problem for multi-tenant systems. Good luck and let me know if I can help :)Virtu
Have you looked at batch invoke for Lambda with AppSync? docs.aws.amazon.com/appsync/latest/devguide/… @CarlosDelgadoPerfectible
Definitely this looks better, using this option would force us to use batchInvoking in every resolver, and mitigate the N+1 issue, but I wonder if would it go down to just 1 invocation per query/mutation? Not sure... and I’m not sure neither how would this work with a subscription. I guess I’ll have to look into it more closely because I have too many questions about this service’s advanced techniques.Virtu
@CarlosDelgado please take a look at the new blog post we released for this and see if the Lambda scenario can assist you: hackernoon.com/…Perfectible
@Perfectible could you show me an example of this applied to a mutation?Howsoever

© 2022 - 2024 — McMap. All rights reserved.