1. 技术文章
  2. Group authorization in AppSync using IAM authentication

Group authorization in AppSync using IAM authentication

*爱你&永不变心* 提交于 2019-12-09 17:51:48

问题


My service requires user groups for authorising access to data.

Group authorization examples in AppSync documentation are based on User Pool claims. I'm using IAM authentication so $context.identity doesn't include claims or any similar information.

See, for example, topic "Use Case: Group Can Create New Record" in: https://docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html

#set($expression = "")
#set($expressionValues = {})
#foreach($group in $context.identity.claims.get("cognito:groups"))
    #set( $expression = "${expression} contains(groupsCanAccess, :var$foreach.count )" )
    #set( $val = {})
    #set( $test = $val.put("S", $group))
    #set( $values = $expressionValues.put(":var$foreach.count", $val))
    #if ( $foreach.hasNext )
    #set( $expression = "${expression} OR" )
    #end
#end
{
    "version" : "2017-02-28",
    "operation" : "PutItem",
    "key" : {
        ## If your table's hash key is not named 'id', update it here. **
        "id" : { "S" : "$context.arguments.id" }
        ## If your table has a sort key, add it as an item here. **
    },
    "attributeValues" : {
        ## Add an item for each field you would like to store to Amazon DynamoDB. **
        "title" : { "S" : "${context.arguments.title}" },
        "content": { "S" : "${context.arguments.content}" },
        "owner": {"S": "${context.identity.username}" }
    },
    "condition" : {
        "expression": "attribute_not_exists(id) OR $expression",
        "expressionValues": $utils.toJson($expressionValues)
    }
}

I would expect to just check from User table whether the user is in a group that grants this permission. However, DynamoDB conditions don't seem to support querying other tables.


回答1:


Today i'm using something similar to your requirement. For that I add a custom header in the amplify request with the JWT token from Cognito User Pool. In my case, I parse the JWT inside a lambda resolver. For your case, you'll need to parse the JWT token in the frontend and send it parsed (and encoded) in the custom header. Inside your resolver you can decode the header value and extract the groups from the claims.



来源:https://stackoverflow.com/questions/49901500/group-authorization-in-appsync-using-iam-authentication

标签
amazon-dynamodb
aws-appsync
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!