Apollo-server: How to use AWS Cognito to authenticate/authorize users with Apollo (client/graphql-lambda)?
Can someone point me to an example of best practices or production ready code showing:
1) how to authenticate users with AWS Cognito on Apollo client and pass that info to Apollo _graphql-lambda_?
2) use that info to let a user modify records in a db (e.g. Dynamodb) only if they have certain permissions? (e.g. users can only edit own posts, and can edit any post if user is admin).
Would be great to have a comprehensive tutorial on developing serverless apps with Apollo covering authentication (with Cognito), ACL/permissions, local development (i.e. what part of dev workflow is possible to do with _graphql-lambda_ without constantly connecting to AWS? perhaps using https://github.com/atlassian/localstack ), CI/CD workflows etc.
dalerka
All 5 comments
Hi, I'm in the same page here. I'll tell you my plan, let's see it it makes sense to you:
All the users will be in a Cognito user pool, and put each user in the appropriate groups.
The there's a DynamoDB table matching Cognito user groups with GraphQL queries and mutations.
So the work of the Authenticator will be extract the Cognito user groups from the JWT token, the operation from the GraphQL query and test if it is allowed using the DynamoDB table (or maybe a Redis will do better).
What do you think?
Carlos
cdelgadob
on 5 Jun 2017
After reading, it seems that the custom authorizer only has information about the endpoint and who the user is, not the GraphQL query/mutation being invoked.
It seems that the way forward is to implement a viewer pattern as described here so the authorization would be inside the graphql server itself, and the JWT (or whatever token you are using) needs to be added as a parameter of the query/mutation as well.
To me this is not the cleanest implementation, but unless we can access the body of the POST request in the authorizer, there is no other option.
Something else that concerns me is the TTL of the authorizer, which obviously doesn't take the graphql operation into account, so it should be set to 0.
This makes me think that the approach is correct, in terms of deduplicity and costs, but not in terms of delegation, it's just not elegant.
Will try to figure out a way...
Carlos
cdelgadob
on 5 Jun 2017
Thanks, Carlos! I'm still struggling to wrap my mind around AWS Cognito. Perhaps someone has already tackled these issues and can offer a sample code?
for reference, some discussion here.
dalerka
on 6 Jun 2017
Hi @dalerka ,
Finally I ended up writing a custom validator to perfom the authorisation, which gets the operation and entities queried from the AST, and check them against the user's roles.
Roles and permissions are stored in DynamoDB tables, and the only thing I take from Cognito is the username. All the other permissions and stuff are in tables.
And it's working perfectly :)
Hope it helps
Carlos
cdelgadob
on 23 Jun 2017
I think this question/discussion would be better for stackoverflow.
helfer
on 28 Jun 2017
Related issues
dbrrt
路
3Comments
nevyn-lookback
路
3Comments
jpcbarros
路
3Comments
hiucimon
路
3Comments
bryanerayner
路
3Comments
Most helpful comment
Hi @dalerka ,
Finally I ended up writing a custom validator to perfom the authorisation, which gets the operation and entities queried from the AST, and check them against the user's roles.
Roles and permissions are stored in DynamoDB tables, and the only thing I take from Cognito is the username. All the other permissions and stuff are in tables.
And it's working perfectly :)
Hope it helps
Carlos