Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

How to handle User Pool authorization with JavaScript resolver in aws AppSync?

0

I'm trying to implement owner-based authorization in the function but keep getting an error when getting the sub and username property of ctx.identity Here is my code and error message.

 if (util.authType() != 'User Pool Authorization') {
        util.unauthorized();
    }
    const sub = ctx.identity.sub;

Ln 11, Col 30	code.js(11,30): error TS2339: Property 'sub' does not exist on type 'Identity'. Property 'sub' does not exist on type 'AppSyncIdentityIAM'.

I would greatly appreciate any help. Thank you.

Edit: The only work around I found is to call JSON.parse(JSON.stringify(ctx.identity))

Themen
ServerlosFrontend-Web & MobileAnwendungsintegration
Tags
AWS AppSync
Sprache
English
Denver
gefragt vor 9 Monaten577 Aufrufe
3 Antworten
0

You can use following code as a workaround to get username from ctx.identity. At least UI allows to save it and the value is correct.

const username = ctx.identity["username"]
Eduard Kh
beantwortet vor 7 Monaten
  • Harshil Modi
    vor 2 Monaten

    It's very weird that ctx.identity.username is not working, but your suggestion is working!

0

Hi Denver

Look at this documentation here: https://docs.aws.amazon.com/appsync/latest/devguide/resolver-context-reference-js.html#aws-appsync-resolver-context-reference-identity-js

This shows you the structure of the identify object based on the used authentication method, for IAM (as you are using it) - .sub. doesnt exist!

Let me know if that answered your question.

Regards Johannes

profile picture
Lockhead
beantwortet vor 9 Monaten
0

@Lockhead certainly is correct in saying that type AppSyncIdentityIAM does not have a sub attribute.

However, I run into a similar issue which AFAICT can not be explained in the same way: I am using a Cognito userpool to auth & auth my users and my resolver code looks like this:

import { util } from '@aws-appsync/utils'
export function request(ctx) {
  console.log("ctx.identity:", ctx.identity)
  return {
    operation: 'GetItem',
    key: util.dynamodb.toMapValues({ user_id: ctx.identity.username }) # ERROR: see below
  }
}

Trying to save this code in the AppSync Resolver online editor (or adding it using some IaC tool) fails with

error TS2339: Property 'username' does not exist on type 'Identity'.
Property 'username' does not exist on type 'AppSyncIdentityOIDC'

NOTE: This is type AppSyncIdentityOIDC as opposed to AppSyncIdentityIAM in @Denver's original question - which is not mentioned in the AWS docs linked by @Lockhead.

The console.log output (in CloudWatch) shows that the username attribute clearly does exist:

{
    "claims": {
       ... (snipped) ...
    },
    "defaultAuthStrategy": "ALLOW",
    "groups": null,
    "issuer": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_(redacted)",
    "sourceIp": [
        "(redacted)"
    ],
    "sub": "(redacted)",
    "username": "(redacted: matches expectation)"
}

So, from where I am standing, this looks like an AWS bug to me.

I am able to work around this using the JSON.parse(JSON.stringify(ctx.identity)) approach @Denver mentioned.

profile picture
dd-ssc-fs
beantwortet vor 8 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt