By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to handle User Pool authorization with JavaScript resolver in aws AppSync?

0

I'm trying to implement owner-based authorization in the function but keep getting an error when getting the sub and username property of ctx.identity Here is my code and error message.

 if (util.authType() != 'User Pool Authorization') {
        util.unauthorized();
    }
    const sub = ctx.identity.sub;

Ln 11, Col 30	code.js(11,30): error TS2339: Property 'sub' does not exist on type 'Identity'. Property 'sub' does not exist on type 'AppSyncIdentityIAM'.

I would greatly appreciate any help. Thank you.

Edit: The only work around I found is to call JSON.parse(JSON.stringify(ctx.identity))

Topics
ServerlessFront-End Web & MobileApplication Integration
Tags
AWS AppSync
Language
English
Denver
asked 9 months ago549 views
3 Answers
0

You can use following code as a workaround to get username from ctx.identity. At least UI allows to save it and the value is correct.

const username = ctx.identity["username"]
Eduard Kh
answered 6 months ago
  • Harshil Modi
    2 months ago

    It's very weird that ctx.identity.username is not working, but your suggestion is working!

0

Hi Denver

Look at this documentation here: https://docs.aws.amazon.com/appsync/latest/devguide/resolver-context-reference-js.html#aws-appsync-resolver-context-reference-identity-js

This shows you the structure of the identify object based on the used authentication method, for IAM (as you are using it) - .sub. doesnt exist!

Let me know if that answered your question.

Regards Johannes

profile picture
Lockhead
answered 8 months ago
0

@Lockhead certainly is correct in saying that type AppSyncIdentityIAM does not have a sub attribute.

However, I run into a similar issue which AFAICT can not be explained in the same way: I am using a Cognito userpool to auth & auth my users and my resolver code looks like this:

import { util } from '@aws-appsync/utils'
export function request(ctx) {
  console.log("ctx.identity:", ctx.identity)
  return {
    operation: 'GetItem',
    key: util.dynamodb.toMapValues({ user_id: ctx.identity.username }) # ERROR: see below
  }
}

Trying to save this code in the AppSync Resolver online editor (or adding it using some IaC tool) fails with

error TS2339: Property 'username' does not exist on type 'Identity'.
Property 'username' does not exist on type 'AppSyncIdentityOIDC'

NOTE: This is type AppSyncIdentityOIDC as opposed to AppSyncIdentityIAM in @Denver's original question - which is not mentioned in the AWS docs linked by @Lockhead.

The console.log output (in CloudWatch) shows that the username attribute clearly does exist:

{
    "claims": {
       ... (snipped) ...
    },
    "defaultAuthStrategy": "ALLOW",
    "groups": null,
    "issuer": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_(redacted)",
    "sourceIp": [
        "(redacted)"
    ],
    "sub": "(redacted)",
    "username": "(redacted: matches expectation)"
}

So, from where I am standing, this looks like an AWS bug to me.

I am able to work around this using the JSON.parse(JSON.stringify(ctx.identity)) approach @Denver mentioned.

profile picture
dd-ssc-fs
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content