Open jared-ookla opened 1 year ago
Hi @jared-ookla 👋 thanks for raising this issue.
Please correct me if I'm wrong, but it sounds like you already have an Amplify backend that you are using for an Android and iOS app. You are just trying to use DataStore with an OIDC token to authorize qraphql queries, correct?
Can you provide us with some more details about your configuration? Since you are not configuring DataStore to use multi auth, can you confirm what the default authorization mode on your API resource is? DataStore will try to use that by default. There is no other way to tell DataStore which authMode to try, unlike the API.graphql method which accepts the authMode as an option.
Lastly, do you have an aws-exports file? If not, please let us know how you might be calling Amplify.configure.
Oh, I see, that's helpful to understand, thanks!
Our default authorization is OIDC but this is only configured on the api module (appsync). We aren’t using the auth module (i.e. we already have logic in place that captures this bearer token without the use of the auth module).
Here are the contents of our aws-exports.js file:
/* eslint-disable */
// WARNING: DO NOT EDIT. This file is automatically generated by AWS Amplify. It will be overwritten.
const awsmobile = {
"aws_project_region": "us-west-2",
"aws_appsync_graphqlEndpoint": "<our-custom-oidc-provider-endpoint>",
"aws_appsync_region": "us-west-2",
"aws_appsync_authenticationType": "OPENID_CONNECT"
};
export default awsmobile;
@chrisbonifacio The client will need some way of communicating which user is currently signed in. I would assume the user.userId('eq', this.userId)
sync expression is not sufficient since it isn't explicitly about authorization. This is what I would have thought adding my customer authProvider function would offer. But while it isn't working, Cache.setItem
is.
Is that the appropriate way for the web client to indicate the current user or is there a better way?
For context, this is the code that led us to the Cache.setItem
solution.
I was hoping that I could search the codebase for Cache.setItem
to find some wrapper function that does this setItem
action that we should be using instead, but the search comes up empty.
Alternatively, I would have hoped that there was support for Authorization info passed through the headers (as is true with the AWS_LAMBDA case), but that doesn't appear to be the case. If that was added, I wonder if our authProvider would work.
@chrisbonifacio Can you offer any insight? Is there any additional context that'd be helpful for me to provide?
Hi @jared-ookla. Sorry for the delay. Thanks for referencing the code. It appears that the library tries to get the token from either Auth or Cache. So, in your case, I think it's alright to use Cache.setItem for now. This is simply an abstraction of localStorage on the browser.
If you do run into issues, the alternative would be to use Auth.federatedSignIn like the documentation suggests here:
https://docs.amplify.aws/lib/auth/advanced/q/platform/js/#identity-pool-federation
This would be using the token you receive from your OIDC provider and exchanging it for Cognito credentials and Amplify will manage the refresh.
Thank you for your response.
It sounds like the Cache solution is not ill-advised but also doesn't come with much confidence that it will work seamlessly. We are looking into this alternate solution you suggested to understand whether we can easily add identity pools to our current DataStore setup, so that we can implement this in a way that will give us higher confidence of no surprise issues when we launch on web. If it's ok, we'll update here with what we decide to do and any question that arise.
@jared-ookla, definitely report back on whether the alternative solution works for you!
@cwomack and @chrisbonifacio, I just want to confirm, the reason you are suggesting that the alternative to our Cache.setItem
workaround is to use Auth Identity Pool federation is because there is no way for us to specify a custom oidc auth provider on the DataStore configuration the way we are able to do with Android and iOS, is that correct?
Is that an intentional gap in support or something you plan to add?
Thanks!
Hi @jared-ookla , unfortunately that authProviders
configuration option you found only supports Lambda
This seems to be a feature disparity between the JS and Android implementations of DataStore. I'm going to mark this issue as a feature request. The way you are currently setting the oidc token in the Cache
is fine for now. It is the only way to provide Amplify with it outside of using the Auth
library so it should be okay to continue doing so until we add OIDC support to the authProviders config option.
Thank you for providing that clarification. I'm glad to see this go in as a feature ticket!
Before opening, please confirm:
JavaScript Framework
React
Amplify APIs
DataStore
Amplify Categories
api
Environment information
Describe the bug
The javascript docs don't appear to indicate what to do within the client JS code to support owner-based authorization with an OIDC provider. The Android docs do. They show using the following code:
I need to understand how to do the same thing in JS. From looking through the API documentation (https://aws-amplify.github.io/amplify-js/api/globals.html#authproviders ), I have tried to understand how to set it up but it isn't working.
Here is my current code:
When I run this, I get the following error:
It suggests I need to run amplify add auth and then amplify push, but I don't believe it make sense to do this in my case because this same DataStore is already being used in prod by our Android and iOS applications. Is that correct?
As a workaround, we have been using the cache instead, but I'm concerned that this is not the intended approach and could lead to undesired behavior and potential bugs. Can you advise whether that is a concern I should have? Here is that code:
Thank you
Expected behavior
I expected that adding the code as described would not have an error and would result in the browser's data being populated with the appropriate user's data.
Reproduction steps
Code Snippet
Log output
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response