Support for AppSync multi auth (authMode)

[pippo111]

Which Category is your question related to? GraphQL API

What AWS Services are you utilizing? AppSync, Cognito, IAM

Provide additional details e.g. code snippets Regarding to the documentation https://aws-amplify.github.io/docs/js/api#aws-appsync-multi-auth amplify supports multiauth mode. Unfortunately, when setting additional authMode in Typescript there is an error with typings:

Argument of type '{ query: string; variables: {}; authMode: string; }' is not assignable to parameter of type 'GraphQLOptions'.
  Object literal may only specify known properties, and 'authMode' does not exist in type 'GraphQLOptions'.  TS2345

when using it like this:

API.graphql({
     query: queries.createTodo,
     variables: {input: todoDetails},
     authMode: 'AMAZON_COGNITO_USER_POOLS'
})

and even when I change typings to accept authMode there is no response from the server - I'm still unauthorize to get the results.

All I'm trying to accomplish is to authenticate through Cognito and this way get Cognito user details in my resolver. Is it even possible ?

[powerful23]

@pippo111 Hi, can you provide the request headers when calling API.graphql()? If the authMode is AMAZON_COGNITO_USER_POOLS, then the access token from the Cognito service should be added into the headers.

[ajhool]

@pippo111 are you still having this issue?

[elorzafe]

@pippo111 which version of amplify are you using? This is supported as you can see here

[dabit3]

I'm having the same issue. I've tested this in the AppSync console and everything works fine.

Here's the base schema:

type Post @model @auth(rules: [
  {allow: public, provider: iam}
  ]) {
  id: ID!
  title: String!
}

Here's the query in the transformed schema:

type Query {
  listPosts(filter: ModelPostFilterInput, limit: Int, nextToken: String): ModelPostConnection
    @aws_iam
}

Here is my API call:

const data = await API.graphql({
  query: listPosts,
  authMode: 'AWS_IAM'
})

Here is what my headers look like:

Authorization: AWS4-HMAC-SHA256 Credential=undefined/20191017/eu-central-1/appsync/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-user-agent, Signature=eb81fd2ffe9334522fd041cc5b89f2dc0c5741391d643626b8d315428ecf5620

Here's the error:

"GraphQLError: Request failed with status code 403
    at APIClass.<anonymous> (http://localhost:3001/static/js/0.chunk.js:5507:24)
    at step (http://localhost:3001/static/js/0.chunk.js:4667:17)
    at Object.throw (http://localhost:3001/static/js/0.chunk.js:4598:14)
    at rejected (http://localhost:3001/static/js/0.chunk.js:4558:32)"

I see that there is an undefined parameter in my headers. Could that be causing the issue? If so, any ideas around what I could do?

To reproduce:

$ amplify init

$ amplify add auth

$ amplify add api

# set base configuration to Amazon Cognito User Pools
# add additional authorization type of IAM

# add above schema

$ amplify push

# create a couple of items in the db from the AppSync console using IAM permissions

# Then query using the above query

[dabit3]

Ok, this issue was because I did not have Cognito properly configured to use unauthenticated access. For me the solution was this:

amplify update auth

# walk through the steps for a custom flow, allowing unauthenticated access

amplify push

[dabit3]

Follow up: comment from @undefobj cc @kaustavghosh06:

This should actually be configured automatically or the schema compilation should throw a warning - e.g. if public using provider with IAM, and unauth wasn’t enabled in auth category we should enter the auth flow to either enable it or automatically do it under the covers

[github-actions[bot]]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.