1

Setup:

  • AWS Amplify API w/ GraphQL
  • AWS Amplify Auth w/ Cognito User Pools

Say the majority of the platform should be accessible by a logged out user. E.g. they should be able to read forum Topics, but if they want to post, they need to sign in.

I see an @auth resolver that I can use, but whenever I try to make a graphQL call to my.url.amazonawscom/graphql to fetch Topics, it says "errorType": "UnauthorizedException". I'm having trouble figuring out how a logged out user can have authorization to publicly accessible data.

VDog
  • 1,083
  • 2
  • 13
  • 35

2 Answers2

1

AWS AppSync recently launched support for multiple authorization types on the same AppSync API. So you could for example enable cognito user pools as the authorization type on your API and add API_KEY as an additional authorization provider.

After this, you would be able to use the @aws_api_key directive to make selected fields from your schema such as for example getForumTopics be api key authenticated. API Keys are in general considered to give public access.

Also Cognito User Pools and Cognito Federated Identities are separate products. Cognito Federated Identities does indeed have an unauthenticated identity role that you can use to secure top level fields in your schema but it looks like the auth type on your API is set to Cognito User Pools.

Ionut Trestian
  • 5,473
  • 2
  • 20
  • 29
0

In Cognito identity pool you need to set the policy for unauthorized users. Go to Edit Identity Pool and you can see an option where role can be set for unauthorized

Robin Varghese
  • 1,158
  • 10
  • 22
  • Oh interesting, yeah I just saw that setting to enable it. So it's enabled, but do I need to pass some generic JWT token, or anything in the header during a request? It's now saying "Unable to parse JWT token" – VDog Jul 24 '19 at 18:27
  • Meaning, I am able to get it working with a JWT token for a authenticated user, but can't figure out what header(s) to use for unauthenticated if trying using Postman or Insomnia – VDog Jul 24 '19 at 19:06
  • For an unauthenticated user, there is no JWT token generated. – Robin Varghese Jul 26 '19 at 06:26
  • I understand, but what would the format of a query look like, for an unauthenticated user on, for example, postman. I am unable to achieve said query, and am hoping I can pass some kind of header information to validate the unauthenticated user. – VDog Jul 26 '19 at 07:37
  • Can you please use the AWS API Gateway interface to test those endpoints.Make sure you have deployed the APIs into a stage before you test the endpoints. In the APi Gateway, I hope you have configured the IAM Authorizer. In Cognito identity Pool, In section Unauthenticated identities, check the box Enable access to unauthenticated identities – Robin Varghese Jul 26 '19 at 08:33