Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Appsync with OIDC Authorization with firebase always throwing Unauthorized for Lambda mutation

0

I am trying to get firebase and Appsync working together. For appsync setup I am doing:

authorizationConfig: {
  defaultAuthorization: {
    authorizationType: AuthorizationType.OIDC,
    openIdConnectConfig: {
      oidcProvider: 'https://securetoken.google.com/<with my proper project id>',
      clientId: '<with the app id from firebase>', 
      tokenExpiryFromAuth: 3600
    },
  },
  additionalAuthorizationModes: [
    {
      authorizationType: AuthorizationType.API_KEY,
      apiKeyConfig: {
        description: 'API key used by internal services needing to access AppSync',
        expires: Expiration.after(Duration.days(364)),
        name: 'internal-service-key',
      },
    },
  ],

Executing the mutation (which is directed at a Lambda) works via API Key. However, I am always getting Unauthorized when trying it via open connect. Things I do know: The oidcProvider is right I am not 100% sure on the ClientID, i assume that is the App ID from firebase console which I have used (I have also tried everything else I could find) I successfully generate an Authorization token and use it (Appsync even reports it as expired when i do use it and its expired)

I do not see any real detail of any issue in Cloudwatch besides the Unauthorized result.

I have been banging my head against the wall for quite some time trying to determine what the issue here might be. Any direction or assistance would be greatly appreciated.

Thanks

Topics
Application IntegrationServerlessFront-End Web & MobileComputeSecurity, Identity, & Compliance
Tags
AWS AppSyncAWS Identity and Access ManagementAWS Lambda
Language
English
asked 2 years ago537 views
1 Answer
0

In this case AppSync is looking for a token issuer that conforms with the OIDC specification. Which means they would need to have a /.well-known/openid-configuration endpoint.

It's not clear to me from the Firebase documentation that Firebase is actually a full OIDC provider (just because it issues an identity token in the JWT format doesn't necessarily mean it has all the OIDC endpoints)

You could potentially check by trying to navigate to https://securetoken.google.com/<project_id>/.well-known/openid-configuration with the correct project_id inserted.

If it's not OIDC compliant, but you still want to use the Identity Token issued by Firebase for authorization, you could implement Lambda Authorization and use the Firebase SDK or Third party library approaches described in the Firebase documentation.

AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content