Login/Register
Cognito custom claims missing with Amplify but not with Appsync Console
Asked Answered
amazon-cognitoclaims-based-identityaws-appsyncaws-amplifycustom-attribute
O

1

7

I have the following resolver, allowing me to retrieve information about the current user company (companyId is added as a custom field on the cognito user pool). The field on cognito is set to mutable.

{
    "version" : "2017-02-28",
    "operation" : "GetItem",
    "key": {
        "id" : $util.dynamodb.toDynamoDBJson($context.identity.claims.get("custom:companyId"))
    }
}

This works fine when using the AWS AppSync interface (after login in) as the logs show:

{
    "errors": [],
    "mappingTemplateType": "Request Mapping",
    "path": "[getMyClientCompany]",
    "resolverArn": "arn:aws:appsync:eu-west-1:261378271140:apis/rue25cac6jc6vfbhvu32sjafqy/types/Query/fields/getMyClientCompany",
    "transformedTemplate": "{\n    \"version\" : \"2017-02-28\",\n    \"operation\" : \"GetItem\",\n    \"key\": {\n        \"id\" : {\"S\":\"0c1c81db-a771-4856-9a30-d11bf8e3cab1\"}\n    }\n}",
    "context": {
        "arguments": {},
        "source": null,
        "result": null,
        "error": null,
        "outErrors": []
    },
    "fieldInError": false
}

But doesn't work when the code comes from Amplify-js:

{
    "errors": [],
    "mappingTemplateType": "Request Mapping",
    "path": "[getMyClientCompany]",
    "resolverArn": "arn:aws:appsync:eu-west-1:261378271140:apis/rue25cac6jc6vfbhvu32sjafqy/types/Query/fields/getMyClientCompany",
    "transformedTemplate": "{\n    \"version\" : \"2017-02-28\",\n    \"operation\" : \"GetItem\",\n    \"key\": {\n        \"id\" : {\"NULL\":null}\n    }\n}",
    "context": {
        "arguments": {},
        "source": null,
        "result": null,
        "error": null,
        "outErrors": []
    },
    "fieldInError": false
}

The key that should be "custom:companyId" is "NULL" now I imagine the issue is either with Amplify (version 0.4.8) or with the cognito user resolver for some reason

Any idea what could be going on?

Of answered 14/8, 2018 at 12:7 Comment(2)
Hi, we'll consolidate the response within the AWS AppSync forums since you asked the same question in there.Diacaustic
Oh I didn't realise it was the same crowd, please do.Of
E
9

There are two JWT tokens Cognito may utilize. ID and Access. ID token seems to contain those custom claims.

From Amplify you tweak the Authorization header to use ID token vs Access token.

Here's the code, put it in AWS Amplify configuration:

API: {
  graphql_endpoint: 'https://****.appsync-api.***.amazonaws.com/graphql',
  graphql_region: '***',
  graphql_authenticationType: 'AMAZON_COGNITO_USER_POOLS',
  graphql_headers: async () => {
    try {
      const token = (await Auth.currentSession()).idToken.jwtToken;
      return { Authorization: token }
    }
    catch (e) {
      console.error(e);
      return {};
      // Potentially you can retrieve it from local storage
    }
  }
}

Note, there seem to be several different keys to configure Amplify keys: for example, aws_appsync_graphqlEndpoint vs API { graphql_endpoint }, I used the latter.

Embroider answered 4/9, 2018 at 15:15 Comment(1)
This configuration works but it screws up the calls to the API (in a Nextjs app). Is there any way to set the graphql_headers ONLY for a specific operation?Corona

© 2022 - 2024 — McMap. All rights reserved.