Amplify-js: Configure amplify to send IdToken
With userpool authentication in amplify, we would like to send idToken as authorization header instead of accessToken. Amplify API code is sending accessToken by default and looks like its not configurable.
With AppSync graphql test console, idToken is being sent which is different from amplify js behavior.
Wondering if there is a way to send idToken with amplify API.js?
shasti421
All 8 comments
To workaround, we can use app sync client with apollo-graphql, but we would like to use amplify library to leverage other features in amplify. Hoping this gets addressed soon.
shasti421
on 22 May 2019
@shasti421 we most likely will not make this change as using the IdToken isn't meant for this purpose. The IdToken is meant to prove who the user is when doing things such as federation or SSO. The AccessToken is used for proving what the user has access to (e.g. authorization) against an API resource. Since Amplify is designed to have best practices built in, this wouldn't be a good thing for us to change in the client. Perhaps you could let us know why you are looking to make this change and we could suggest an alternative?
undefobj
on 23 May 2019
This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems.
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 25 Jun 2019
Hey guys! I've faced the same issue. Basically I need Id Token to implement row/column based security in mapping templates. My Id Token includes a couple custom fields which are needed to implementing security. Maybe there're some alternatives, any suggestions? @undefobj
vkuzbida-phr
on 30 Jul 2019
I am in the same situation. This is a defect or misleading in the documentation. I followed the amplify documentation for custom claims and used the Pre Token Generation Lambda Trigger.
@auth supports using custom claims if you do not wish to use the default username or cognito:groups claims from your JWT token which are populated by Amazon Cognito. This can be helpful if you are using tokens from a 3rd party OIDC system or if you wish to populate a claim with a list of groups from an external system, such as when using a Pre Token Generation Lambda Trigger which reads from a database. To use custom claims specify identityClaim or groupClaim as appropriate like in the example below:
The lambda function adds the claim to the access token but the identity claim is not sent to AppSync.
gmreburn
on 4 Nov 2019
I have opened a related issue here where I make the case not only for why this should be addressed, but why it's actually a bug that goes against the latest documentation for AWS services.
atlowell-smpl
on 21 Jan 2020
Wondering if there is a way to send idToken with amplify API.js?
You can override Amplify's default settings to pass the id token instead
Amplify.configure({
API: {
graphql_headers: async () => {
const session = await Auth.currentSession();
return {
Authorization: session.getIdToken().getJwtToken(),
};
},
},
});
dantasfiles
on 22 Jan 2020
Wondering if there is a way to send idToken with amplify API.js?
You can override Amplify's default settings to pass the id token instead
Amplify.configure({ API: { graphql_headers: async () => { const session = await Auth.currentSession(); return { Authorization: session.getIdToken().getJwtToken(), }; }, }, });
Shouldn't this solution imply some security concerns?
somq
on 3 Apr 2020
Related issues
guanzo
路
3Comments
josoroma
路
3Comments
DougWoodCDS
路
3Comments
epicfaace
路
3Comments
callmekatootie
路
3Comments
Most helpful comment
I am in the same situation. This is a defect or misleading in the documentation. I followed the amplify documentation for custom claims and used the Pre Token Generation Lambda Trigger.
The lambda function adds the claim to the access token but the identity claim is not sent to AppSync.