AWS AppSync authorization - Amazon Virtual Andon

AWS AppSync authorization

AWS AppSync authorization enforces OpenID Connect (OIDC) tokens provided by Amazon Cognito user pools. The application leverages the users and groups in your user pools and associates them with GraphQL fields and operations for controlling access.

When using Amazon Cognito user pools, you can create groups for users. This information is encoded in a JSON web token (JWT) that your application sends to AWS AppSync in an authorization header while sending GraphQL operations. You can set up the authorization in AWS AppSync resolvers to control which groups can run queries.

The following example shows the AWS AppSync resolver, which allows the admin group to get the result:

## Check authorization #set ($isAllowed = false) #set ($userGroups = $ctx.identity.claims.get("cognito:groups")) #set ($allowedGroups = ["AdminGroup"]) #foreach ($userGroup in $userGroups) #if ($allowedGroups.contains($userGroup)) #set ($isAllowed = true) #break #end #end ## Throw authorized if the user is not authorized. #if ($isAllowed == false) $util.unauthorized() #end { "version": "2017-02-28", "operation": "Scan", #if( $ctx.args.nextToken ) "nextToken": "$ctx.args.nextToken", #end "limit": $util.defaultIfNull($ctx.args.limit, 50) }