使用IAM身份验证的AppSync中的组授权 [英] Group authorization in AppSync using IAM authentication

问题描述

我的服务需要用户组来授权对数据的访问。

My service requires user groups for authorising access to data.

AppSync文档中的组授权示例基于用户池声明。我使用的是IAM身份验证，因此$ context.identity不包含声明或任何类似信息。

Group authorization examples in AppSync documentation are based on User Pool claims. I'm using IAM authentication so $context.identity doesn't include claims or any similar information.

例如，请参阅主题用例：组可以创建新的记录：
https：/ /docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html

See, for example, topic "Use Case: Group Can Create New Record" in: https://docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html

#set($expression = "")
#set($expressionValues = {})
#foreach($group in $context.identity.claims.get("cognito:groups"))
    #set( $expression = "${expression} contains(groupsCanAccess, :var$foreach.count )" )
    #set( $val = {})
    #set( $test = $val.put("S", $group))
    #set( $values = $expressionValues.put(":var$foreach.count", $val))
    #if ( $foreach.hasNext )
    #set( $expression = "${expression} OR" )
    #end
#end
{
    "version" : "2017-02-28",
    "operation" : "PutItem",
    "key" : {
        ## If your table's hash key is not named 'id', update it here. **
        "id" : { "S" : "$context.arguments.id" }
        ## If your table has a sort key, add it as an item here. **
    },
    "attributeValues" : {
        ## Add an item for each field you would like to store to Amazon DynamoDB. **
        "title" : { "S" : "${context.arguments.title}" },
        "content": { "S" : "${context.arguments.content}" },
        "owner": {"S": "${context.identity.username}" }
    },
    "condition" : {
        "expression": "attribute_not_exists(id) OR $expression",
        "expressionValues": $utils.toJson($expressionValues)
    }
}

我希望只从User表检查用户是否在授予此权限的组中。但是，DynamoDB条件似乎不支持查询其他表。

I would expect to just check from User table whether the user is in a group that grants this permission. However, DynamoDB conditions don't seem to support querying other tables.

推荐答案

今天，我正在使用与您的要求类似的东西。为此，我使用来自Cognito用户池的JWT令牌在放大请求中添加了自定义标头。就我而言，我在Lambda解析器中解析了JWT。对于您的情况，您需要在前端解析JWT令牌，然后在自定义标头中将其解析（并编码）发送。在解析器内部，您可以解码标题值并从声明中提取组。

Today i'm using something similar to your requirement. For that I add a custom header in the amplify request with the JWT token from Cognito User Pool. In my case, I parse the JWT inside a lambda resolver. For your case, you'll need to parse the JWT token in the frontend and send it parsed (and encoded) in the custom header. Inside your resolver you can decode the header value and extract the groups from the claims.

这篇关于使用IAM身份验证的AppSync中的组授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！