I'm currently utilizing API-Key as my default auth method and it is working as expected. I am working to convert over to using CognitoUserPools by adding an "Additional authorization provider" via the AppSync console. The goal is to allow users to update their apps before flipping the switch and disabling the API key.
If I set my AppSync API Settings to utilize the Cognito Pool as the default method in the AWS Console and also set the Cognito Pool as the Default in the awsconfiguration.json file, I am able to authenticate through. I am also able to authenticate through when using the API key, as I have been.
However, if I use multiple auth methods (per https://docs.amplify.aws/sdk/api/graphql/q/platform/ios/#authorization-modes) I get 401 auth errors for the Cognito config. The API key still works (with Swift code adjusted). I have confirmed that the appSyncConfig is indeed using the correct Cognito service config from the json file. I cannot figure out why it will not let me auth. API responses will return errors for being unable to auth, as well.
AWSAppSync ver. 3.6.1
Not working:
let serviceConfigCognito = try AWSAppSyncServiceConfig(forKey: "friendly_name_AMAZON_COGNITO_USER_POOLS")
let cacheConfigCognito = try AWSAppSyncCacheConfiguration(
useClientDatabasePrefix: true,
appSyncServiceConfig: serviceConfigCognito
)
let clientConfigCognito = try AWSAppSyncClientConfiguration(
appSyncServiceConfig: serviceConfigCognito,
userPoolsAuthProvider: MyCognitoUserPoolsAuthProvider(),
cacheConfiguration: cacheConfigCognito
)
appSyncClient = try AWSAppSyncClient(appSyncConfig: appSyncConfig)
"AppSync": {
"Default": {
"ApiUrl": "https://xyz.us-west-2.amazonaws.com/graphql",
"Region": "us-west-2",
"AuthMode": "API_KEY",
"ApiKey": "da2-xyz",
"ClientDatabasePrefix": "friendly_name_API_KEY"
},
"friendly_name_AMAZON_COGNITO_USER_POOLS": {
"ApiUrl": "https://xyz.us-west-2.amazonaws.com/graphql",
"Region": "us-west-2",
"AuthMode": "AMAZON_COGNITO_USER_POOLS",
"ClientDatabasePrefix": "friendly_name_AMAZON_COGNITO_USER_POOLS"
}
}
Working:
let cacheConfiguration = try AWSAppSyncCacheConfiguration()
let appSyncConfig = try AWSAppSyncClientConfiguration(appSyncServiceConfig: AWSAppSyncServiceConfig(),
userPoolsAuthProvider: MyCognitoUserPoolsAuthProvider(),
cacheConfiguration: cacheConfiguration)
appSyncClient = try AWSAppSyncClient(appSyncConfig: appSyncConfig)
"AppSync": {
"Default": {
"ApiUrl": "https://xyz.us-west-2.amazonaws.com/graphql",
"Region": "us-west-2",
"AuthMode": "AMAZON_COGNITO_USER_POOLS",
}
}
Support class required:
class MyCognitoUserPoolsAuthProvider : AWSCognitoUserPoolsAuthProvider {
func getLatestAuthToken() -> String {
let pool = AWSCognitoIdentityUserPool(forKey: CognitoPoolID)
let session = pool?.currentUser()?.getSession()
if let token = session?.result?.idToken {
return token.tokenString
} else {
return ""
}
}
}
Thanks for the input. I have attempted adding "@aws_api_key @aws_cognito_user_pools" to the first Type in my query sequence and am still receiving a 401. This page (at the bottom) states it must have both. https://repost.aws/knowledge-center/aws-appsync-graphql-request-unauth-error
Interestingly, If I reload the application a few times, I'm able to get a failure on the query itself. "Unauthorized" "Not Authorized to access getData on type Query"
The query currently has a simple resolver with 1 input parameter. There are no limitations on resolver output.