Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GraphQL] cannot use authMode: oidc without Cognito user pool. #510

Closed
3 tasks done
PG-practice opened this issue Jan 25, 2025 · 4 comments
Closed
3 tasks done

[GraphQL] cannot use authMode: oidc without Cognito user pool. #510

PG-practice opened this issue Jan 25, 2025 · 4 comments
Assignees
@chrisbonifacio
Labels
GraphQL question Further information is requested

Comments

@PG-practice
Copy link

PG-practice commented Jan 25, 2025
edited
Loading

Before opening, please confirm:

JavaScript Framework

Not applicable

Amplify APIs

GraphQL API

Amplify Version

v6

Amplify Categories

api

Backend

Other

Environment information

# Put output below this line

Describe the bug

When you want to use Amplify JavaScript just to request to Existing AppSync API with its Authentication mode 3rd party OIDC, the library now seems to require Amazon Cognito User pool.

The code below results in the error NoValidAuthTokens: No federated jwt at headerBasedAuth ......

code 
Amplify.configure({
  API: {
    GraphQL: {
      endpoint: 'https://xxxxxxxx/graphql',
      region: 'xxxxxxxxxx',
      defaultAuthMode: 'oidc'
    }
  }
});
...
    const client = generateClient();
    const res = await client.graphql({ query: yourQuery, authMode: 'oidc', authToken: "some your jwt" });

Cause:

Even when authMode is set to 'oidc', Amplify JavaScript still process it in the same way as authMode userpool

		case 'oidc':
		case 'userPool': {
			let token: string | undefined;

			try {

Possible Solution:

Given the following:

the code here should start to request with Authorization header, and without requiring Cognito

before

		case 'oidc':
		case 'userPool': {
			let token: string | undefined;

after

		case 'oidc':
			if (additionalHeaders.Authorization) {
				headers = {
					Authorization: additionalHeaders.Authorization,
				};
			}
			break;
		case 'userPool': {
			let token: string | undefined;

Simply this change make it possible to send authToken parameter as Authorization header without any Cognito resource.
If it's ok, I could PR the change, but I'm concerned that I've overlooked another way to request to existing AppSync API with external OIDC authentication mode. I cannot find it.

Related Documents:

  • Current documentation suggests that authMode: 'oidc' should work for AppSync with OIDC authentication. However just following this documents cause the error No federated jwt.
  • This blog post demonstrate external provider, but userpool mode is set in both authorizationModes on AppSync API and authMode on client code, which implies that authMode 'oidc' isn't helpful.

similar issue

#507

Expected behavior

For existing AppSync resources with OIDC authorization mode, we should only need to pass the Authorization header
Cognito resources should not be required

Possible Solution (Repost):

before

		case 'oidc':
		case 'userPool': {
			let token: string | undefined;

after

		case 'oidc':
			if (additionalHeaders.Authorization) {
				headers = {
					Authorization: additionalHeaders.Authorization,
				};
			}
			break;
		case 'userPool': {
			let token: string | undefined;

Reproduction steps

  1. Create API with Authorization mode OIDC in console (any other method than amplify is ok).
  2. Create front end project like React.
  3. Create front end graphql code by npx @aws-amplify/cli codegen
    Gen 2 doesn't support front end code generation as of now, so this needs Amplify CLI. support generating GraphQL client code by pointing to an AppSync API ID amplify-backend#1903
  4. npm install aws-amplify
  5. Change App.js to the code snippet below
  6. Login to your external OIDC provider and get token.
  7. Hard code the token as authToken parameter
  8. npm start
  9. click the button to call API.
  10. you see No federated jwt error.

Code Snippet

App.js

import { Amplify } from 'aws-amplify'
import { generateClient } from '@aws-amplify/api';
import { yourQuery } from './graphql/queries';

Amplify.configure({
  API: {
    GraphQL: {
      endpoint: 'https://xxxxxxxx/graphql',
      region: 'xxxxxxxxxx',
      defaultAuthMode: 'oidc'
    }
  }
});

function App() {
  const call = async() => {
    const client = generateClient();
    const res = await client.graphql({ query: yourQuery, authMode: 'oidc', authToken: "some your jwt" });
    console.log(res)
  }

  return (
    <>
      <button onClick={call}>API CALL</button>
    </>
  );
}

export default App;

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response
@Samaritan1011001
Copy link
Member

Hi @PG-practice, thank you opening the issue with a detailed description. I believe this belongs to Amplify Data, I will have someone transfer this over so they can best assist you.

@Samaritan1011001 Samaritan1011001 transferred this issue from aws-amplify/amplify-js Jan 28, 2025
@chrisbonifacio
Copy link
Member

Hi @PG-practice 👋 thanks for raising this issue.

It looks like you might be running into the same blocker as the OP of this other issue:
#507 (comment)

Can you please try adding a prefix or suffix to the token as you pass it to authToken field in the API call?
If my hunch is correct, that should allow the service to process the token correctly.

Let us know if that helps!

@chrisbonifacio chrisbonifacio self-assigned this Jan 28, 2025
@chrisbonifacio chrisbonifacio added question Further information is requested pending-community-response and removed pending-triage labels Jan 28, 2025
@PG-practice
Copy link
Author

Thanks!
but the document doesn't seem related to the error No federated jwt for the following reason.

  • As I mentioned earlier, No federated jwt error derives from this code, which happens before requesting. So in fact a client doesn't request to AppSync API.

Even when authMode is set to 'oidc', Amplify JavaScript still process it in the same way as authMode userpool

  • While your document on #507 (comment) is about cases using Lambda Authorization mode, this issue occurs even when only using OIDC authentication mode. Moreover, AppSync authentication setting is irrelevant because no actual API request is made -- The No federated jwt happens simply by setting the client code to authMode: 'oidc'.

@chrisbonifacio
Copy link
Member

chrisbonifacio commented Feb 3, 2025
edited
Loading

Hi @PG-practice Thank you for responding. Since this issue specifically mentions needing a Cognito User Pool for oidc to work as an auth mode, I believe this is a duplicate of this issue.

I will close this one out as a duplicate since it's more recent. Please track #507 for future updates as I try to reproduce the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chrisbonifacio chrisbonifacio

Labels
GraphQL question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Samaritan1011001 @chrisbonifacio @PG-practice