search

aws-amplify / amplify-category-api

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development. This plugin provides functionality for the API category, allowing for the creation and management of GraphQL and REST based backends for your amplify project.
https://docs.amplify.aws/
Apache License 2.0
87 stars 73 forks source link

Improve Learn More section when setting up Auth/Guest vs Individual Groups in the CLI #255

Open chantlong opened 3 years ago

chantlong commented 3 years ago

I have an API Gateway + REST configuration.

When Restricting API access I get two options, Auth/Guest vs Individual Groups.

The Learn More section states

You can restrict access using CRUD policies for Authenticated Users, Guest Users, or on individual Group that users belong to in a User Pool. If a user logs into your application and is not a member of any group they will use policy set for “Authenticated Users”, however if they belong to a group they will only get the policy associated with that specific group.

I do not understand what constitutes an Authenticated User.

I have a React Native app and when restricting with Auth/Guest selected, when calling the API it returns a 403.

But if I select Individual Group, the API works fine.

Since I am already logged in, that should make me an Authenticated User so how should I go about making the Auth/Guest option work?

I tried passing a token like the following and it doesn't work either.

    const myInit = { 
      headers: { 
        Authorization: `Bearer ${(await Auth.currentSession()).getIdToken().getJwtToken()}`,
      },
    };
yuth commented 3 years ago

I do not understand what constitutes an Authenticated User.

Any user who is logged in is treated as Authenticated user.

I have a React Native app and when restricting with Auth/Guest selected, when calling the API it returns a 403.

Do you have auth initialized in your application before making this request? Could you share code snippet of making the API request.

But if I select Individual Group, the API works fine.

How do you select an individual group? The Amplify CLI supports restriction to Auth and UnAuth users. Could you clarify how you select Individual Groups?

I tried passing a token like the following and it doesn't work either.

This work only if you have custom authorization enabled

chantlong commented 3 years ago

Do you have auth initialized in your application before making this request? Could you share code snippet of making the API request.

The snippet is just the following, I am not passing any headers.

API.post('myapi', '/somepath', {
    body: { somevar },
  })

In the Restrict API options, I selected users for the Individual Group and the snippet above works fine when logged in the React Native app, and it shows Missing Authentication Token when trying to access it via Postman (no auth) which is expected. Since I'm not passing any headers explicitly, it seems like there's some magic going on.

? Restrict access by? Individual Groups
? Select groups: (Press <space> to select, <a> to toggle all, <i> to invert selection)
❯◯ admin
 ◉ users

So it brings me back to the question to how to get it work for an Auth/Guest user way.

If I decide to use custom authorization enabled, what's the best practice for setting it up? Since API Gateway is deployed by Amplify, I'm guessing it's better to edit the Cloud Formation template vs. directly creating it on the console?

yuth commented 3 years ago

In the Restrict API options, I selected users for the Individual Group and the snippet above works fine when logged in the React Native app, and it shows Missing Authentication Token when trying to access it via Postman (no auth) which is expected. Since I'm not passing any headers explicitly, it seems like there's some magic going on.

Yes the Amplify JS library signs the request.

When an user belongs to an cognito user pool group, the CLI generates a custom role and the user is assigned that role. As described in the document above when user does not belong to any groups they get AuthRole.

So it brings me back to the question to how to get it work for an Auth/Guest user way.

You can configure the API to support Both by selecting Both and then granting permission individually as shown below

? Restrict API access Yes
? Restrict access by? Both
? Who should have access? Authenticated and Guest users
? What kind of access do you want for Authenticated users? create, read, update, delete
? What kind of access do you want for Guest users? read
? Select groups: admin, moderator
? What kind of access do you want for admin users? create, read, update, delete
? What kind of access do you want for moderator users? read, update

Once you have this, there should not be any additional changes needed in the app to make API request

If I decide to use custom authorization enabled, what's the best practice for setting it up? Since API Gateway is deployed by Amplify, I'm guessing it's better to edit the Cloud Formation template vs. directly creating it on the console?

Yes updating cloudformation would be better to prevent losing the customization after a new push happens

chantlong commented 3 years ago

Noted with thanks on the auto signed request and cloudformation.

Once you mentioned AuthRole, I got it. After deploying the changes based on what you said, I noticed updates to the Permissions to the authRole generated by Amplify. amplify-**-dev-*****-authRole

It would be nice if the docs mentioned authRole/unauthRole as well in the Learn More CLI section.

In order to go through the "Authenticated Users" way, I must not belong to an Cognito User Pool. I thought by default in Amplify, users that sign up using the Auth API must belong to a User Pool so I am having trouble picturing a scenario where a user would not belong to a User Pool/Group.

yuth commented 3 years ago

It would be nice if the docs mentioned authRole/unauthRole as well in the Learn More CLI section.

What would you like to see in learn more section instead of what we have

You can restrict access using CRUD policies for Authenticated Users, Guest Users, or on individual Group
 that users belong to in a User Pool. If a user logs into your application and is not a member of any group they 
will use policy set for “authUser" policy, however if they belong to a group they will only get the policy 
associated with that specific group. If the user is not logged in they will use the policy set by "UnAuth" policy
chantlong commented 3 years ago

How about the following?

You can restrict access using CRUD policies for Authenticated Users, Guest Users, or on individual Group
 that users belong to in a User Pool. 

Authenticated Users
If a user logs into your application and is not a member of any group, they will assume the IAM Role of Amplify's generated "authRole". Adjusting the access methods for Authenticated Users will update the policies associated with "authRole".

Guest Users
If a user is not logged in and is not a member of any group, they will assume the IAM Role of Amplify's generated "unauthRole". Adjusting the access methods for Guest Users will update the policies associated with "unauthRole".

Individual Groups
If a user is logged in and is a member of a group, they will they will only get the policy associated with that specific group.

To be honest I'm not sure how to phrase the Individual Group part because there isn't an actual IAM Role, so it's like where is this policy then?