3rd Party App Tokens within AppSync with User Pools

Question

after some reading on Using multiple authorization types with AWS AppSync GraphQL APIs and The Complete Guide to User Authentication with the Amplify Framework , one thing I could not figure out is if I can have 3rd Party Application Tokens (e.g. like Twitter API) and use AppSync+Cognito to generate credentials for service-to-service mutations/query?

I already have a user flow via Cognito (type AMAZON_COGNITO_USER_POOLS). I want to centralize service-to-service calls using my AppSync. Limiting the service/token access would be great too (to only X Mutations, instead of the whole schema). Would that be possible?

I'm a bit lost around what are the current limitations.

• do I need a Custom Authorizer in Cognito?
• should I move everything to IAM credentials?
• a Lambda Resolver with manual credentials check + AppSync call?
• I can't do it and I need to store these tokens in a different place (DynamoDB, etc), with metadata/some id to have some kind of identity and always use Lambda Resolvers etc.

thoughts and insights are more than welcome, thanks!

Answer 1

As of today, AppSync does support 4 types of user authentication

• API key (no authentication)
• IAM credentials
• OpenID tokens
• Cognito User Pool tokens

There is a request to add custom lambda authorisers as well, but nothing has been announced to date.

In your scenario, I would use Cognito User Pool authentication on the App Sync side and federate Cognito User pool with Twitter OIDC. I know a couple of years ago Twitter was only supporting a custom subset of Oauth2. I'll let you check if they do support OIDC now :-)

But you're not the only asking this question

• https://forums.aws.amazon.com/thread.jspa?messageID=881666
• User pools for users who register via twitter?