Reputation: 948
AppSync multiple authorisation
I am using multiple authorization with AppSync (api key and OIDC).
I have got a query called 'getStudent' and the default auth is API KEY and OIDC is an additional auth mode.
The goal is to have the 'getStudent' available for API KEY, however, with OIDC, only the owner should be able to retrieve their own record. To achieve that I have edited the resolver mapping template for 'getStudent':
#if( $ctx.error )
$util.error($ctx.error.message, $ctx.error.type, $ctx.result)
#else
#if($ctx.result.id == $ctx.identity.claims.get("studentid"))
$util.toJson($ctx.result)
#else
$util.unauthorized()
#end
#end
However, although this works for OIDC, API KEY no longer works. I couldn't find any variables or way to perform a 'IF API KEY MODE DETECTED ALLOW ALL DATA TO BE RETURNED'.
Is this a known limitation or is there something I am missing?
Greatly appreciated,
Upvotes: 0
Views: 418
Answers (1)
Reputation: 40084
If you are using more than one authorization type on AppSync then only the default one will work for everything. All other authorization types have to be explicitly defined for each Query and Mutation result using the appropriate directive such as:
type Query {
getPost(id: ID): Post
getAllPosts(): [Post]
@aws_api_key. // Assuming default was OpenID Connect then this is necessary for API Key mode to run Query.
}
Here's a good article from AWS blog.
Upvotes: 1
Related Questions
- AWS APPSYNC how to apply aws_api_key authorization
- Appsync Authorization for Non Signed In Users
- AppSync with AWS4 and mixed authentication type (UserPools and IAM)
- Appsync oidc with auth0 as authorisation returns unauthorised
- How can I use two API Key to authorize two graphql fields separately in Appsync?
- aws appsync auth directive not limiting access as expected
- AWS AppSync with Firebase Authentication
- Multiple Authorization types with AWS AppSync
- AWS AppSync Subscriptions: Complex Authorization based on Object with in Updated Document
- AWS AppSync IAM DynamoDb Role