Reputation: 2061
Appsync Authorization for Non Signed In Users
Im using Appsync in a Vue application and have Cognito user pools setup for users to be able to sign-in to my application. However, there are some pages on my app where a non-signed in user should be able to view only ie: "think: reading answers on stack overflow" , however there are some cases where users need to be able to add a comment to that page and need to sign in to edit it.
On my API in Appsync I have the authorization set to "Amazon Cognito User Pool" and the default action set to "Allow" but then how can I make it so non-cognito users can still view a page? What combination of settings should I use?
Upvotes: 2
Views: 988
Answers (1)
Reputation: 8482
Annoyingly AppSync does not support multiple authentication methods, and as you've noticed Cognito UserPool integration requires users to have signed in before they can access the graphql endpoint.
There are a few workarounds, however none of them are that pretty:
- Deploy two versions- one with full functionality using UserPools and one open version using API Key (that you embed into the client)
- Handle authentication yourself. Use the IAM Role security for App Sync, and instead of connecting directly to the graphql endpoint, create a proxy lambda in API Gateway that either verifies UserPool users or allows limited access with no credentials.
- Create a no-user "user" in your UserPool with known (e.g. in your app, or from an endpoint) credentials. The onus would then be on you to check if your user is this user when responding to secured mutations/queries. One way of doing this more safely might be to add a custom attribute "custom:insecure" which you can check for on non-open endpoints.
- Use the "viewer" pattern (check Facebook's implementation). Make your GraphQL Schema open by default (e.g. known API Key) and have all of your queries/mutations take the first parameter of
viewer. This might be the access token that Cognito returns on authentication. Each resolver would then be responsible for determining if the token is valid (e.g.cognito::getUser) or access is allowed without aviewerdefined.
Although it initially sounds like the hardest, I would recommend my first solution. There are ways of automating AppSync deployments, and it makes a clear distiniction between what's open and what's secured on your schema.
Upvotes: 2
Related Questions
- "No current user": Isn't it even possible to make unauth calls to AWS AppSync through Amplify with authentication type AMAZON_COGNITO_USER_POOLS?
- AWS AppSync - Unauthorized Exception
- AWS Cognito as an Open Id Authorizer for AWS AppSync
- Use a clientId without a client secret
- AppSync multiple authorisation
- How do I make an AWS AppSync GraphQL API publicly accessible while using Amazon Cognito for authentication?
- How allow unathenticated users (guess) to access to aws appsync?
- cannot authenticate user for aws appsync with swift SDK
- Appsync return 401 errors when connecting with cognito
- AWS AppSync IAM Authorization with Cognito Federated Identities