AppSync 中使用 IAM 身份验证的组授权 [英] Group authorization in AppSync using IAM authentication

问题描述

我的服务需要用户组来授权访问数据.

My service requires user groups for authorising access to data.

AppSync 文档中的组授权示例基于用户池声明.我正在使用 IAM 身份验证，因此 $context.identity 不包含声明或任何类似信息.

Group authorization examples in AppSync documentation are based on User Pool claims. I'm using IAM authentication so $context.identity doesn't include claims or any similar information.

例如，参见主题用例:组可以创建新记录":https://docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html

See, for example, topic "Use Case: Group Can Create New Record" in: https://docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html

#set($expression = "")
#set($expressionValues = {})
#foreach($group in $context.identity.claims.get("cognito:groups"))
    #set( $expression = "${expression} contains(groupsCanAccess, :var$foreach.count )" )
    #set( $val = {})
    #set( $test = $val.put("S", $group))
    #set( $values = $expressionValues.put(":var$foreach.count", $val))
    #if ( $foreach.hasNext )
    #set( $expression = "${expression} OR" )
    #end
#end
{
    "version" : "2017-02-28",
    "operation" : "PutItem",
    "key" : {
        ## If your table's hash key is not named 'id', update it here. **
        "id" : { "S" : "$context.arguments.id" }
        ## If your table has a sort key, add it as an item here. **
    },
    "attributeValues" : {
        ## Add an item for each field you would like to store to Amazon DynamoDB. **
        "title" : { "S" : "${context.arguments.title}" },
        "content": { "S" : "${context.arguments.content}" },
        "owner": {"S": "${context.identity.username}" }
    },
    "condition" : {
        "expression": "attribute_not_exists(id) OR $expression",
        "expressionValues": $utils.toJson($expressionValues)
    }
}

我希望只从用户表中检查用户是否在授予此权限的组中.但是，DynamoDB 条件似乎不支持查询其他表.

I would expect to just check from User table whether the user is in a group that grants this permission. However, DynamoDB conditions don't seem to support querying other tables.

推荐答案

今天我正在使用与您的要求相似的东西.为此，我在放大请求中添加了一个自定义标头，其中包含来自 Cognito 用户池的 JWT 令牌.就我而言，我在 lambda 解析器中解析 JWT.对于您的情况，您需要在前端解析 JWT 令牌并在自定义标头中将其解析(和编码)发送.在您的解析器中，您可以解码标头值并从声明中提取组.

Today i'm using something similar to your requirement. For that I add a custom header in the amplify request with the JWT token from Cognito User Pool. In my case, I parse the JWT inside a lambda resolver. For your case, you'll need to parse the JWT token in the frontend and send it parsed (and encoded) in the custom header. Inside your resolver you can decode the header value and extract the groups from the claims.

这篇关于AppSync 中使用 IAM 身份验证的组授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！