AWS AppSync Authorization

Question

I'm planning to use AWS Appsync to migrate a graphQL endpoint in a lambda function, which is being triggered by a POST via the API Gateway. I'm looking into AppSync mainly because of the subscriptions, which I can't create using a Lambda function.

My Authentication mechanism is based on Auth0, using passwordless, and my authorization mechanism in based on the data from several tables in DynamoDB and it's embedded in the graphQL resolvers, as recommended by Facebook and Apollo.

What is more, it is based on every part of the request, which includes checking permission to invoke the query/mutation, and after that, the different entities included in the query, as the appropriate resolvers are being fired.

As far as I can see, this is far away from being possible in AWS AppSync, as it enforces using Cognito. Maybe some kind of custom authorizer, like in the API Gateway could do the work, but it's still uncertain, because it needs to be executed many times during the graphQL request resolution (remember, one per nested object apart from the initial operation check).

Maybe I can make a workaround regarding the subscriptions using notifications and refresh the queries, but I'll have to look into that as well.

Anyone else with this problem too? How do you plan to, or have solved it?

Any help will be much appreciated

Carlos

Answer 1

At this point AppSync supports AuthZ checks using the metadata in the resource you are querying, or you can pass through the data and check it in the resolver. For instance you can store authorization metadata on the DynamoDB table and check it and then return data, but you cannot check a separate data source. However there will be more auth methods opened up in the future as AppSync is still not GA.

In the meantime some options:

• Use Lambda as your resolver and do your AuthZ check there before reading/writing to DynamoDB

• Federate your Auth0 identity with AWS IAM and use those credentials in the resolver as a check. AppSync supports these credentials.

• Check the JWT claims in the resolver that you pass through for your AuthZ check. You can use $context.identity.claims.attrib� in the Velocity language for this.

Please keep checking the AppSync documentation page in the coming months as the service evolves for more options here.

EDIT There is now a guide in the documentation for AppSync authorization scenarios and use cases: https://docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html

EDIT #2 There is a new blog post for using multiple data sources with your resolvers for advanced authorization scenarios: https://hackernoon.com/graphql-authorization-with-multiple-data-sources-using-aws-appsync-dfae2e350bf2