Open masarliev opened 1 week ago
Hi @masarliev 👋 thanks for raising this issue!
Have you checked the access token for the custom claims? I'm afraid they're probably not present and you will probably be able to see them on the ID token. At the moment, custom claims are only available on ID tokens.
A potential workaround might be to use the ID token in the Authorization header using a custom graphql header in the Amplify configuration but this is not recommended because ID tokens are not intended to serve authorization purposes like Access tokens are. However, it is possible to customize access tokens to include the same claims as the ID token, the downside is this comes with an extra cost from AWS Cognito.
For more information on customizing access tokens: https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/
Hi @chrisbonifacio I use V2_0 pre token generation lambda that modifies both tokens and ad custom claims. https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
Ah okay, so you are already leveraging the advanced security features of Cognito.
In that case, can you confirm that the claims are indeed on the access token?
If so, what is the format of the claim? Is it an array of school ids?
yes they are in the claim and list/get of both models works, but when I want to include school.* in classes list it throws error described in issue
Okay, thanks for confirming! I will attempt to reproduce and report back with any findings.
Before opening, please confirm:
JavaScript Framework
Vue
Amplify APIs
GraphQL API
Amplify Version
v6
Amplify Categories
api
Backend
Amplify Gen 2 (Preview)
Environment information
Describe the bug
Using custom identity claim for authorization fails to retrieve related objects. https://docs.amplify.aws/vue/build-a-backend/data/customize-authz/configure-custom-identity-and-group-claim/ When calling API for each separate everything works as expected, but when I query
API returns "Not Authorized to access school on type Class.". When authenticated user is teacher it works as expected and school object is returned
Expected behavior
return related object
Reproduction steps
Code Snippet
Log output
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response