Aws-mobile-appsync-sdk-js: Passing a federated identity into AWSAppSyncClient?

I think this is what you need for the credentials value:

import { Auth } from 'aws-amplify';
...
credentials: () => Auth.currentCredentials()

See https://github.com/awslabs/aws-mobile-appsync-sdk-js/issues/11. Hope that helps!

@lolcoolkat I got another message from you about passing the jwt in, but Auth.currentCredentials doesn't take any input params.

https://github.com/aws/aws-amplify/blob/master/packages/aws-amplify/src/Auth/Auth.ts#L518

It seems to handle passing the jwt for AppSync requests for you. I've got the same type of set up using federated login (both FB and Cognito user pool) with IAM auth and works like a charm.

Please note I've got Cognito configured via the Amplify lib and am using the withAuthenticator HOC vs. manually doing the Cognito sign-in.

https://aws.github.io/aws-amplify/media/authentication_guide.html#2-withauthenticator-hoc

@russelltaga Ok thank you! And yeah using cognito user pools are very easy to setup.. thats what I have atm.. but using federated identities is a little trickier hehe :D

Not sure if this is helpful, but here's what I did:

1) Configure identity pool and init Amplify with it - https://github.com/aws/aws-amplify/blob/master/docs/media/authentication_guide.md#manual-setup

2) Use withAuthenticator HOC, be sure to specify { includeGreetings: true }

That should get you sign in/out for your app.

For the AppSync client, if you use code like:

const client = new AWSAppSyncClient({
  url: appSyncConfig.graphqlEndpoint,
  region: appSyncConfig.region,
  auth: {
    type: AUTH_TYPE.AWS_IAM,
    credentials: () => Auth.currentCredentials()
  }
});

That should start signing requests that you make to AppSync if you are signed in. If you look at the authorization request headers for GraphQL requests to AppSync you should see something like this:

If you're getting 401 errors when you make AppSync calls, it's most like due to needing to adjust the IAM policy for the role associated with signed in Cognito users which you can find in the Cognito identity pool config.

@russelltaga I don't want to use an identity/user pool though with my app. I've seen the pricing for cognito pools and it gets quite expensive once u get up towards the 900,000 users/month mark. And I expect a good amount of users on my web application so I want to use a more inexpensive alternative.

Hence why I am going to use developer federated identities, which will allow me to create an identity for a user and return a JWT token. With that token I will pass it into the CognitoIdentityCredentials, and then pass it into AppSync to authorize requests.

Hopefully that makes sense!

Note: I'm going to be using lambda functions along with Appsync for my login/register functionality which will save the user to DynamoDB and then generate the federated login/JWT token for the user!

Got it, apologies for any confusion!

@lolcoolkat How do you get your custom headers from the client you lambdas. I am using IAM auth and lambdas and AppSync doesn't seem to pass along headers (unless I am doing it wrong which is very possible).