How can I authenticate subscription with OpenID Connect in Appsync?

Question

I am making graphql subscription by AWS Appsync and configured OpenID Connect as authentication method. It works fine for mutation and query but doesn't work for subscription.

type Mutation {
    requestTransaction(transaction: TransactionRequestInput!): TransactionRequestACK!
        @aws_oidc
    responseTransaction(transaction: TransactionResponseInput!): TransactionResponse!
        @aws_iam @aws_api_key
}


type Subscription {
    responseTransaction(id: ID!): Transaction!
        @aws_subscribe(mutations: ["responseTransaction"])
        @aws_oidc
}

The schema above is the one I am using. Each field has configured a lambda as resolver. I am able to send mutation request to requestTransaction with OIDC jwt token. But when I send subscription request, the resolver is not triggered. The subscription on client side is pending and there is no error. Is there any special configuration required for subscription with OIDC?

Answer 1

Joey Yi Zhao, as of today this is a known bug in AWS Appsync queries console, even though you enter OIDC token in input. It is not passed along in case of subscription but it does work fine in case of query and mutations(you can verify the same in dev console of the browser).I got to know about this after contacting AWS support as i was also facing the same issue. If you test the subscription with OIDC through other means like aws-appsync package it works as expected.