Closed pr1ze closed 1 year ago
I am also trying to do this to enable dynamic unauthenticated access to some resources
@pr1ze Apologies for the delay on this issue. We've since made many updates to how we handle authorization. If you are still trying to get this to work, please try updating to the latest version of the aws-amplify
package as well as the Amplify CLI @aws-amplify/cli
and let us know if you are still in need of assistance.
@loganpowell if you are also still experiencing your issue, please open a new issue and fill out the bug form thoroughly so that we are able to reproduce and assist with feedback or a fix if there is a bug.
Hi I am having same issue where the idToken does receive the custom:tenantId but the Datastore syncs all the tenant records. I have exact same setup as above. I am using latest aws-amplify "aws-amplify": "^4.3.33" type Tenant @model @auth( rules: [ { allow: private, provider: iam, operations: [read] } { allow: groups, groups: ["ITSuperAdmin", "ITAdmin"] } { allow: owner, ownerField: "id", identityClaim: "custom:tenantId"} ] ) { id: ID! @primaryKey name: String! }
can you please help understand what i might have missed.
@pr1ze @prafullatandel, have you tried setting the DataStore authModeStrategyType to AuthModeStrategyType.MULTI_AUTH
in Amplify.configure()
? If you check the documentation here it may help with your issue.
Hi 👋 Closing this as we have not heard back from you. If you are still experiencing this issue and in need of assistance, please feel free to comment and provide us with any information previously requested by our team members so we can re-open this issue and be better able to assist you.
Thank you!
Describe the bug Trying to use custom claims (groupClaim or identityClaim) does not work when also having @auth { allow: private, provider: iam }
The example provded in "to Reproduce" is based on group claim - however its neither working if doing @auth { allow: owner, ownerField: "name", identityClaim: "shopName"
What i am trying to solve is doing multi tenancy while also being able to access the API from lambdas using IAM roles.
To Reproduce
Having 2 entites in database -- A shop with name = "fooShop" -- A user which belongs to the above shop and an owner id corresponds to the user signed in later.
Doing query on DataStore
Then this error is thrown in console:
Expected behavior I Expected the user & the shop to be synced to the DataStore and be returned from the quries shown above.
Code Snippet
I am able to make the first "sync" work if i do:
However this just results in another error, where it get an Unauthorized for setting up the subscription. So removed this code peace again, as it is neither documented in the official amplify docs.
Both with & without adding the idtoken as authorization header i observed: Doing some digging i discovered that it is using IAM instead of AMAZON_COGNITO_USER_POOLS for setting up subscriptions (Same applies for all subscriptions):
I would have expected that is was using AMAZON_COGNITO_USER_POOLS because it is configured as default in my aws-exports.js. I do not know if this is related to the problem with syncing. But it looks like
From this code piece in getAuthorizationInfo - the IAM is chosen over AMAZON_COGNITO_USER_POOLS.
What is Configured?
React native app - package.json:
aws-exports.js
How amplify is configured in App.tsx