How do I make authenticated requests to Amplify GraphQL using Firebase Auth as OIDC?

Question

I need help setting up Firebase Auth + Amplify GraphQL. I'm trying to log in using federated sign with securetoken.google.com/PROJECT-ID as the provider, and it seems to log in alright because when I call Auth.currentAuthenticatedUser() I get the token, and when listening to Hub "signIn" event I get the token. My problem is making authenticated requests to my GraphQL API.

const signIn = async () => {
  try {
    // already logged in using firebase so I just need to get the token from the current user
    const tokenResult = await currentUser?.getIdTokenResult()
    await Auth.federatedSignIn('securetoken.google.com/PROJECT-ID', {
      token: tokenResult?.token,
    })
    const res = await Auth.currentAuthenticatedUser()
    console.log('token', res.token) // eyjhxxxxxxxxxx...
  } catch (error) {
    // ...
  }
}

const client = new AWSAppSyncClient({
  url: AppSyncConfig.aws_appsync_graphqlEndpoint,
  region: AppSyncConfig.aws_appsync_region,
  auth: {
    type: AppSyncConfig.aws_appsync_authenticationType,
    jwtToken: () => getToken(),
  },
})

const getToken = async () => {
  const token = await Cache.getItem('@accessToken')
  return token
}

When calling Auth.currentSession() I get "No current user". Also, I do see the token in the Authorization header when I attempt to fetch data.

Answer 1

I have had a similar issue so here are some things you can have a look at.

In the Appsync in the AWS Console

https://eu-west-1.console.aws.amazon.com/appsync/home

Make sure that your primary authorization mode is set to Open Id Connect, or add another authorization provider specifying "OpenId Connect" if you are happy with the primary.

If that does not solve it, you can try to add the @aws_oidc AppSync directive to your GraphQL schema.

type Query {
  getPosts:[Post!]! @aws_oidc  
}

or

type Post
  @model
  @auth(
    rules: [
      { allow: owner, provider: oidc }
 ...

more here: https://aws.amazon.com/blogs/mobile/graphql-security-appsync-amplify/

Lastly, if you have more than one authorization provider, you might have to switch the primary authorization provider to "OpenId Connect" - the issue I had was that Cognito (primary) blocked my secondary API Key authorization provider.

Update

AWS uses IAM roles for everything related to security. So when you authenticate with whichever authentication provider an IAM role will be assigned to that request, and that IAM role needs permission on the resource in question, like execute permission on GraphQL queries, scanning of DynamoDB tables etc. as per this image:

So you might need specific rules set in the IAM console for the IAM role in question - or at least check that it has permission - if not, you'll also get an unauthorized error message in the Appsync GraphQL query console.

more here: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WIF.html?icmpid=docs_ddb_console

and here: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html?icmpid=docs_ddb_console