AWS AppSync授权 [英] AWS AppSync Authorization
问题描述
我打算使用AWS Appsync在lambda函数中迁移graphQL端点,该函数是由POST通过API网关触发的.我之所以关注AppSync,主要是因为订阅无法使用Lambda函数创建.
I'm planning to use AWS Appsync to migrate a graphQL endpoint in a lambda function, which is being triggered by a POST via the API Gateway. I'm looking into AppSync mainly because of the subscriptions, which I can't create using a Lambda function.
我的身份验证机制基于无密码的Auth0,而我的授权机制则基于Facebook和Apollo的建议,并基于DynamoDB中多个表的数据并将其嵌入到graphQL解析器中.
My Authentication mechanism is based on Auth0, using passwordless, and my authorization mechanism in based on the data from several tables in DynamoDB and it's embedded in the graphQL resolvers, as recommended by Facebook and Apollo.
此外,它基于请求的每个部分,其中包括检查调用查询/变异的权限,然后,在激发适当的解析程序的情况下,查询中包含的不同实体.
What is more, it is based on every part of the request, which includes checking permission to invoke the query/mutation, and after that, the different entities included in the query, as the appropriate resolvers are being fired.
据我所知,这在AWS AppSync中是遥不可及的,因为它是使用Cognito强制执行的.也许某种自定义授权者(例如API Gateway中的授权者)可以完成这项工作,但仍不确定,因为它需要在graphQL请求解析期间执行多次(请记住,除了初始操作检查之外,每个嵌套对象都需要执行一次).
As far as I can see, this is far away from being possible in AWS AppSync, as it enforces using Cognito. Maybe some kind of custom authorizer, like in the API Gateway could do the work, but it's still uncertain, because it needs to be executed many times during the graphQL request resolution (remember, one per nested object apart from the initial operation check).
也许我可以使用通知来解决有关订阅的问题并刷新查询,但是我也必须对此进行研究.
Maybe I can make a workaround regarding the subscriptions using notifications and refresh the queries, but I'll have to look into that as well.
还有其他人遇到这个问题吗?您如何计划或已经解决了该问题?
Anyone else with this problem too? How do you plan to, or have solved it?
任何帮助将不胜感激
卡洛斯
推荐答案
此时,AppSync支持使用查询资源中的元数据进行AuthZ检查,或者可以传递数据并在解析程序中检查它.例如,您可以将授权元数据存储在DynamoDB表上并进行检查,然后返回数据,但是您不能检查单独的数据源.但是,由于AppSync仍不是GA,因此将来还会有更多的身份验证方法开放.
At this point AppSync supports AuthZ checks using the metadata in the resource you are querying, or you can pass through the data and check it in the resolver. For instance you can store authorization metadata on the DynamoDB table and check it and then return data, but you cannot check a separate data source. However there will be more auth methods opened up in the future as AppSync is still not GA.
与此同时,一些选项:
-
使用Lambda作为您的解析器,并在对DynamoDB进行读/写之前在其中进行AuthZ检查
Use Lambda as your resolver and do your AuthZ check there before reading/writing to DynamoDB
通过AWS IAM联合您的Auth0身份,并使用解析器中的那些凭据作为检查. AppSync支持这些凭据.
Federate your Auth0 identity with AWS IAM and use those credentials in the resolver as a check. AppSync supports these credentials.
在您通过的AuthZ检查的解析器中检查JWT声明.您可以在Velocity语言中使用$context.identity.claims.attrib�.
Check the JWT claims in the resolver that you pass through for your AuthZ check. You can use $context.identity.claims.attrib� in the Velocity language for this.
随着该服务的发展,请在接下来的几个月中继续查看AppSync文档页面.
Please keep checking the AppSync documentation page in the coming months as the service evolves for more options here.
编辑现在,文档中提供了有关AppSync授权方案和用例的指南:
EDIT There is now a guide in the documentation for AppSync authorization scenarios and use cases: https://docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html
编辑#2 :有一篇新的博客文章,介绍了与您的解析器一起使用多个数据源进行高级授权的情况:
EDIT #2 There is a new blog post for using multiple data sources with your resolvers for advanced authorization scenarios: https://hackernoon.com/graphql-authorization-with-multiple-data-sources-using-aws-appsync-dfae2e350bf2
这篇关于AWS AppSync授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
