By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AppSync: Authorization function for a specific request

0

I'm trying to setup an authorization function for a specific request (here: topic subscription for push notifications). The function should be invoked anytime when someone calls the corresponding "function"/type.

As far as I understand the following code should setup a type, that runs the authorization function:

type Mutation {
	subscribe(topic: String, subscription: String): String
		@aws_lambda(name: "isAuthorizedToSubscribe")
}

The request mapping template looks as follows:

{
    "version" : "2018-05-29",
    "operation": "PutItem",
    "key" : {
        "topic": { "S" :  "$ctx.args.topic" },
      	"subscription": $util.dynamodb.toDynamoDBJson($ctx.args.subscription)
    }
}

Lambda function isAuthorizedToSubscribe:

exports.handler = (event, context, callback) => {
    console.log("*** Authorization handler for subscription was called ***")
    return {isAuth: false} 
}

Problem: <br> The lambda function does not get called and the request always goes through.

Notes:

  • The lambda function isAuthorizedToSubscribe has the permission to be invoked by AppSync.
  • This question is only about authorization for a call. It's not about authentication (which should be done earlier in the process via other measures (API key, cognito, ...))
  • I also tried adding "authorizationFunction": "cbe-trial2-push-isAuthorizedToSubscribe", into the mapping template, but that resulted in Unsupported element '$[authorizationFunction]'. upon request.
Topics
ServerlessFront-End Web & MobileApplication IntegrationAWS Well-Architected Framework
Tags
AWS AppSyncSecurity
Language
English
Peter
asked a year ago844 views
1 Answer
1
Accepted Answer

Thank you for reaching out us regarding the above query. I would like to share that, we can use @aws_lambda AppSync directive to specify if a type of field should be authorized by the AWS_LAMBDA authorization mode when using multiple authorization modes in our GraphQL API. With this authorization mode, we can implement our own API authorization logic using an Amazon Lambda function. Please note that we can use a Lambda function for either our primary or secondary authorizer, but there may only be one Lambda authorization function per API.

For example, consider the below sample schema, in which we would be calling a Lambda Authorization function for a specific request:

type Author @aws_lambda {
	id: ID!
	title: String
}
type Mutation {
	createAuthor(input: CreateAuthorInput!): Author @aws_lambda
}

Kindly note that, the '@aws_lambda' directive will use the lambda function configured in the authorization mode of our AppSync API. And as we can only use one Lambda authorization function per API hence, it would not be needed to specify the function name while using this directive.

Moving ahead, in my test setup, i have performed the below steps in order to make the authorization work:

  1. Writing a Lambda function to authorize GraphQL API calls - implement our business logic to authorize the request, in my case, i implemented the function to check the authorization token and, if the value is custom-authorized, the request is allowed else the requests are denied.
  2. Setting up AWS Lambda as authorization mode in AppSync - configure lambda function as the authorization from AppSync API >> Settings >> Default/Additional authorization mode (as per our use case) >> AWS_LAMBDA.
  3. While making the mutation request from AppSync Console, passed the token to lambda to verify it.

Using the above steps, i was able to invoke the lambda function set up in the authorization mode for authorizing the requests.

For detailed information on the same, please refer to the below documentation:

Additionally, if your use case is to use the different lambda functions for the specific request and handle/implement the business logic on the same, then you might consider using the Lambda resolvers for that specific field.

Having said that, in case you face further challenges, please feel free to open a support case with AWS using the following link.

AWS
SUPPORT ENGINEER
Abhishek_S
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content