sid88in
commented
6 years ago @tuomassalo you might want to create this issue in serverless-appsync-plugin (more active)
Open tuomassalo opened 6 years ago
sid88in
commented
6 years ago @tuomassalo you might want to create this issue in serverless-appsync-plugin (more active)
shukob
commented
5 years ago I experienced similar problems using custom OIDC provider implementation using node-oidc-provider. I do not know if this is related, but the following settings worked:
formats: {
default: 'opaque',
AccessToken: 'jwt'
},
scopes: ['openid', 'offline_access'],
subjectTypes: ['public', 'pairwise'],
clientCacheDuration: 1 * 24 * 60 * 60, // 1 day in seconds,
ttl: {
AccessToken: 1 * 60 * 60, // 1 hour in seconds
AuthorizationCode: 10 * 60, // 10 minutes in seconds
IdToken: 1 * 60 * 60, // 1 hour in seconds
DeviceCode: 10 * 60, // 10 minutes in seconds
RefreshToken: 1 * 24 * 60 * 60 // 1 day in seconds
},
features: {
devInteractions: false,
discovery: true,
requestUri: true,
oauthNativeApps: true,
pkce: true,
backchannelLogout: true,
frontchannelLogout: true,
claimsParameter: true,
clientCredentials: true,
encryption: true,
introspection: true,
jwtIntrospection: true,
alwaysIssueRefresh: true,
registration: false,
registrationManagement: false,
request: true,
revocation: true,
sessionManagement: false,
webMessageResponseMode: true // defaults to false
}I suspect JWT and pairwise related availability is required.
maxpastor
commented
5 years ago Anything new on this subject ? I encounter the same problem and can't find a way to make it work.
skirang71
commented
2 months ago For anyone who is trying to add autentication as the OPENID_CONNECT. This format worked perfectly for me:
appSync: authentication: type: 'OPENID_CONNECT' config: issuer: 'https://auth.example.com' clientId: '5fbc318d-5920-48a8-92ea-20d62d16cc60'
If you want to add multiple authentication modes for the appsync. Examples are provided here by the serverless-appsync-plugin https://github.com/sid88in/serverless-appsync-plugin/blob/master/doc/authentication.md
I'd like to use AppSync - but with OpenID Connect instead of Cognito. Since I've found no example code anywhere (!), I've been trying to modify this repo for the purpose.
For now, I've done more or less these steps:
app-backend/appsync/dynamo/serverless.yml:updated
serverless-appsync-pluginto 1.x and fixed some migration stuff as per https://github.com/sid88in/serverless-appsync-plugin#-migration-from-versions-prior-to-10updated most of the modules in
app-client/appsync-client/package.jsondisabled
AmplifyandwithAuthenticatorfrom/Users/naapuri/dev/witchcase/app-client/appsync-client/src/App.js- should I not do that?tried to manually inject an id token:
Now my application sends the token as
Authorization: ey...within GraphQL endpoint queries. The GraphQL queries give me errors as follows:If the token is expired or malformed, I get a 401 and a decent error message telling me that.
If I have set a value to
clientIdin AppSync settings, I get a 401:clientIdempty (or give it the same value as theaud(!) param of my token), I get a 500:Now I'm quite stuck, since the GraphQL endpoint is a black box, and even if I enable AppSync logging, there's nothing informative in CloudWatch logs. My ngrok inspector show that an AWS server makes two (successful) requests to my OIDC test server: one to
/certsand another one to/.well-known/openid-configuration.Any idea what I might be missing? Or, any pointers where to start for using OIDC with AppSync?