Closed ghi8GPA closed 1 year ago
I have tried by switching the default auth type through amplify cli, and if I swap AWS_IAM as default with cognito, It seems that it is working for unauthenticated users BUT not working for privates, owners and groups.
{
"version": 1,
"serviceConfiguration": {
"apiName": "XXX",
"serviceName": "AppSync",
"defaultAuthType": {
"mode": "AWS_IAM"
},
"conflictResolution": {},
"additionalAuthTypes": [
{
"mode": "AMAZON_COGNITO_USER_POOLS",
"cognitoUserPoolId": "XXXX"
}
]
}
}
Hey @ghi8GPA, sorry you are facing this issue. It looks like you are interacting with a backend that has multiple authorization modes and you are not specifying the auth mode via apiName
parameter in your requests. The API category does not do anything fancy to try to figure out the auth mode, just uses default mode unless specified.
Have you tried going through instructions on https://docs.amplify.aws/lib/graphqlapi/authz/q/platform/flutter/#configure-multiple-authorization-modes and seeing if it helps?
Also note that in dev preview this is a little easier bc you can specify the authorizationMode
parameter in a GraphQLRequest
or a model helper. In stable, however, you have to use apiName
and have expected entries in your amplify configuration file.
Hi @ragingsquirrel3, Thanks for the fast reply.
var result = await Amplify.API.query(request: ModelQueries.get(
apiName: 'XXX',
DPSettings.classType, 'CHECKOUT_MODES',
authorizationMode: auth == true ? APIAuthorizationType.userPools : APIAuthorizationType.iam
)).response;
I managed to let this works, by setting apiName. It also works on dev preview (I'm using 1.0.0-next.1), but I still require apiName, authorizationMode alone is not enough.
The point is that, even if I have two authorizationModes, I still have only one apiname that in this case it's the same on iam and cognito.
Hope that this could be fixed in the future, meanwhile I can create a service that checks if the user is authenticated and add the name of the api.
Thanks
I'm glad you got this working but requiring apiName
in dev preview is not expected (assuming the amplifyconfiguration.dart file doesn't have modifications left from making it work in stable) so I want to ask some more questions to verify.
Yes, I understand there is only 1 apiName
, but using this in stable is a workaround needed bc of lack of authorizationMode
parameter in underlying android/ios libraries (I agree it's annoying in this use case).
When you test w dev preview and state that apiName
is required, does your amplifyconfiguration file have only 1 GraphQL entry like configuration you attached to file the issue? If so, apiName
should not be required in dev preview and only authorizationMode
should work. I was wondering if you had created another entry to get it working with stable (which is required) and did not remove to try w dev preview. If there are multiple GraphQL entries, then apiName
is required to disambiguate. In dev preview, if you delete the configuration file locally and run amplify pull
I would not expect apiName
to be required. If apiName
is required when there is only 1 entry in dev preview, do you get an error? Or do you just not have expected authorization logic occur at runtime?
Thanks for the detail and again for filing this issue.
Hello, this is the following configuration:
const amplifyconfig = ''' {
"UserAgent": "aws-amplify-cli/2.0",
"Version": "1.0",
"api": {
"plugins": {
"awsAPIPlugin": {
"XXX": {
"endpointType": "GraphQL",
"endpoint": "https://XXX.appsync-api.XXX.amazonaws.com/graphql",
"region": "XXX",
"authorizationType": "AMAZON_COGNITO_USER_POOLS"
},
"automatorest": {
"endpointType": "REST",
"endpoint": "https://XXX.execute-api.XXX.amazonaws.com/dev",
"region": "XXX",
"authorizationType": "AWS_IAM"
}
}
}
},
"auth": {
"plugins": {
"awsCognitoAuthPlugin": {
"UserAgent": "aws-amplify-cli/0.1.0",
"Version": "0.1.0",
"IdentityManager": {
"Default": {}
},
"CredentialsProvider": {
"CognitoIdentity": {
"Default": {
"PoolId": "XXX:XXX",
"Region": "XXX"
}
}
},
"CognitoUserPool": {
"Default": {
"PoolId": "XXX",
"AppClientId": "XXX",
"Region": "XXX"
}
},
"Auth": {
"Default": {
"OAuth": {
"WebDomain": "XXX.auth.XXX.amazoncognito.com",
"AppClientId": "XXX",
"SignInRedirectURI": "XXX://",
"SignOutRedirectURI": "XXX://",
"Scopes": [
"phone",
"email",
"openid",
"profile",
"aws.cognito.signin.user.admin"
]
},
"authenticationFlowType": "USER_SRP_AUTH",
"socialProviders": [
"GOOGLE",
"APPLE"
],
"usernameAttributes": [
"EMAIL"
],
"signupAttributes": [
"EMAIL"
],
"passwordProtectionSettings": {
"passwordPolicyMinLength": 8,
"passwordPolicyCharacters": []
},
"mfaConfiguration": "OFF",
"mfaTypes": [
"SMS"
],
"verificationMechanisms": [
"EMAIL"
]
}
},
"AppSync": {
"Default": {
"ApiUrl": "https://XXX.appsync-api.XXX.amazonaws.com/graphql",
"Region": "XXX",
"AuthMode": "AMAZON_COGNITO_USER_POOLS",
"ClientDatabasePrefix": "XXX_AMAZON_COGNITO_USER_POOLS"
},
"XXX_AWS_IAM": {
"ApiUrl": "https://XXX.appsync-api.XXX.amazonaws.com/graphql",
"Region": "XXX",
"AuthMode": "AWS_IAM",
"ClientDatabasePrefix": "XXX_AWS_IAM"
}
},
"DynamoDBObjectMapper": {
"Default": {
"Region": "XXX"
}
},
"S3TransferUtility": {
"Default": {
"Bucket": "XXX-dev",
"Region": "XXX"
}
}
}
}
},
"storage": {
"plugins": {
"awsDynamoDbStoragePlugin": {
"partitionKeyName": "id",
"region": "XXX",
"arn": "arn:aws:dynamodb:XXX:XXX:table/ASecrets-dev",
"streamArn": "arn:aws:dynamodb:XXX:XXX:table/XXX-dev/stream/2022-12-19T09:55:39.111",
"partitionKeyType": "S",
"name": "xxx-dev"
},
"awsS3StoragePlugin": {
"bucket": "XXX-dev",
"region": "XXX",
"defaultAccessLevel": "guest"
}
}
}
}''';
I need to add with another problem with the dev preview version: oath cognito users (google and Facebook) are considered unauthenticated users when calling an api gateway with a lambda attached. Is there a work around for this problem? on stable version is working correctly
I will look into the API gateway issue, thanks for reporting.
The problem with API gateway is that as it use IAMROLE, the autogenerated groups for oauth2 social (in this example Goggle and Apple, the role names are {region}{userpoolId}_Google) don't have the associated default IAM role (authenticated role) and those groups are not recognised by the Amplify CLI, and so I cannot give them permission on the api gateway.
A workaround that I am trying is refactoring the lambda and using appsync instead of api gateway so that I can use cognito user pools.
this is what I am actually using for calling a lambda with appsync so that I can access them with a private /owner even with google/apple:
type Query {
test(testInput: String!): String @function(name: "lambdaname-${env}") @auth(rules: [
{allow: private, provider: userPools},
{allow: groups, groups: ["group1", "group2"], provider: userPools}
])
}
ps. as codegen in flutter works only for models, I won't be able to have a generated query for this functions, so I need to parse the json response and map in manually.
Hi @ghi8GPA - Apologies for the delayed response. It sounds like you were able to resolve the original issue, but may have run into a secondary issue. If that is the case, I think it would make sense to capture those details in a new issue. Please let use know if you are still facing an issue.
@ghi8GPA - I am going to close this out. If you are facing a follow up issue, can you please open a new GitHub issue so that we can properly capture that? Thanks.
Description
Unautheticated user is unable to query public graphql models, example:
api cli-input.json
unauth IAM role has correct settings:
Authenticator widget:
my configureAmplify method:
call on api gives the following error:
ApiException(message: Failed to retrieve authorization token., recoverySuggestion: , underlyingException: Impossibile completare l'operazione. (Errore Amplify.AuthError 6).)
Categories
Steps to Reproduce
Screenshots
No response
Platforms
Android Device/Emulator API Level
No response
Environment
Dependencies
Device
Iphone SE (3rd generation)
OS
IOS 16.0
Deployment Method
Amplify CLI
CLI Version
10.5.1
Additional Context
No response
Amplify Config
{ "UserAgent": "aws-amplify-cli/2.0", "Version": "1.0", "api": { "plugins": { "awsAPIPlugin": { "xxxapp": { "endpointType": "GraphQL", "endpoint": "https://XXX.appsync-api.eu-central-1.amazonaws.com/graphql", "region": "eu-central-1", "authorizationType": "AWS_IAM" }, "xxxrest": { "endpointType": "REST", "endpoint": "https://XXX.execute-api.eu-central-1.amazonaws.com/dev", "region": "eu-central-1", "authorizationType": "AWS_IAM" } } } }, "auth": { "plugins": { "awsCognitoAuthPlugin": { "UserAgent": "aws-amplify-cli/0.1.0", "Version": "0.1.0", "IdentityManager": { "Default": {} }, "CredentialsProvider": { "CognitoIdentity": { "Default": { "PoolId": "eu-central-1:xxx", "Region": "eu-central-1" } } }, "CognitoUserPool": { "Default": { "PoolId": "eu-central-1_xxx", "AppClientId": "xxxx", "Region": "eu-central-1" } }, "Auth": { "Default": { "OAuth": { "WebDomain": "xxxx-dev.auth.eu-central-1.amazoncognito.com", "AppClientId": "xxxx", "SignInRedirectURI": "xxx://", "SignOutRedirectURI": "xxx://", "Scopes": [ "phone", "email", "openid", "profile", "aws.cognito.signin.user.admin" ] }, "authenticationFlowType": "USER_SRP_AUTH", "socialProviders": [ "GOOGLE" ], "usernameAttributes": [ "EMAIL" ], "signupAttributes": [ "EMAIL", "NAME" ], "passwordProtectionSettings": { "passwordPolicyMinLength": 8, "passwordPolicyCharacters": [] }, "mfaConfiguration": "OPTIONAL", "mfaTypes": [ "TOTP" ], "verificationMechanisms": [ "EMAIL" ] } }, "AppSync": { "Default": { "ApiUrl": "https://xxxx.appsync-api.eu-central-1.amazonaws.com/graphql", "Region": "eu-central-1", "AuthMode": "AWS_IAM", "ClientDatabasePrefix": "xxx_AWS_IAM" }, "dolceparadisoapp_AMAZON_COGNITO_USER_POOLS": { "ApiUrl": "https://xxxx.appsync-api.eu-central-1.amazonaws.com/graphql", "Region": "eu-central-1", "AuthMode": "AMAZON_COGNITO_USER_POOLS", "ClientDatabasePrefix": "xxxx_AMAZON_COGNITO_USER_POOLS" } }, "S3TransferUtility": { "Default": { "Bucket": "xxxx-dev", "Region": "eu-central-1" } }, "DynamoDBObjectMapper": { "Default": { "Region": "eu-central-1" } }, "PinpointAnalytics": { "Default": { "AppId": "xxxx", "Region": "eu-central-1" } }, "PinpointTargeting": { "Default": { "Region": "eu-central-1" } } } } }, "storage": { "plugins": { "awsS3StoragePlugin": { "bucket": "xxxx-dev", "region": "eu-central-1", "defaultAccessLevel": "guest" }, "awsDynamoDbStoragePlugin": { "partitionKeyName": "id", "region": "eu-central-1", "arn": "arn:aws:dynamodb:eu-central-1:xxxxx:table/xxxx-dev", "streamArn": "arn:aws:dynamodb:eu-central-1:xxxxx:table/xxx-dev/stream/2022-12-01T09:24:25.413", "partitionKeyType": "S", "name": "xxxx-dev" } } }, "analytics": { "plugins": { "awsPinpointAnalyticsPlugin": { "pinpointAnalytics": { "appId": "xxxxx", "region": "eu-central-1" }, "pinpointTargeting": { "region": "eu-central-1" } } } } }