AWS AppSync 授权 [英] AWS AppSync Authorization
问题描述
我计划使用 AWS Appsync 迁移 lambda 函数中的 graphQL 端点,该函数由 POST 通过 API 网关触发.我正在研究 AppSync,主要是因为我无法使用 Lambda 函数创建订阅.
我的身份验证机制基于 Auth0,使用无密码,而我的授权机制基于来自 DynamoDB 中多个表的数据,并嵌入在 graphQL 解析器中,如 Facebook 和 Apollo 推荐的那样.
更重要的是,它基于请求的每个部分,包括检查调用查询/变异的权限,然后,查询中包含的不同实体,因为适当的解析器被触发.
据我所知,这在 AWS AppSync 中是不可能的,因为它强制使用 Cognito.也许某种自定义授权器,比如在 API 网关中可以完成这项工作,但它仍然不确定,因为它需要在 graphQL 请求解析期间执行多次(请记住,除了初始操作检查之外,每个嵌套对象一个).
也许我可以使用通知来解决订阅问题并刷新查询,但我也必须研究一下.
其他人也有这个问题吗?你打算如何解决,或者已经解决了?
任何帮助将不胜感激
卡洛斯
此时 AppSync 支持使用您正在查询的资源中的元数据进行 AuthZ 检查,或者您可以传递数据并在解析器中进行检查.例如,您可以将授权元数据存储在 DynamoDB 表上并检查它然后返回数据,但您不能检查单独的数据源.但是,由于 AppSync 尚未正式发布,因此将来会开放更多身份验证方法.
同时有一些选择:
使用 Lambda 作为解析器,并在读取/写入 DynamoDB 之前在那里进行 AuthZ 检查
将您的 Auth0 身份与 AWS IAM 联合并在解析器中使用这些凭证作为检查.AppSync 支持这些凭据.
在您通过 AuthZ 检查的解析器中检查 JWT 声明.为此,您可以在 Velocity 语言中使用
$context.identity.claims.attrib.
随着服务的发展,请在未来几个月内继续查看 AppSync 文档页面以获取更多选项.
编辑 AppSync 授权方案和用例的文档中现在有一个指南:https://docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html
编辑 #2 有一篇新的博客文章,用于将多个数据源与您的解析器一起用于高级授权方案:https://hackernoon.com/graphql-authorization-with-multiple-data-sources-using-aws-appsync-dfae2e350bf2
I'm planning to use AWS Appsync to migrate a graphQL endpoint in a lambda function, which is being triggered by a POST via the API Gateway. I'm looking into AppSync mainly because of the subscriptions, which I can't create using a Lambda function.
My Authentication mechanism is based on Auth0, using passwordless, and my authorization mechanism in based on the data from several tables in DynamoDB and it's embedded in the graphQL resolvers, as recommended by Facebook and Apollo.
What is more, it is based on every part of the request, which includes checking permission to invoke the query/mutation, and after that, the different entities included in the query, as the appropriate resolvers are being fired.
As far as I can see, this is far away from being possible in AWS AppSync, as it enforces using Cognito. Maybe some kind of custom authorizer, like in the API Gateway could do the work, but it's still uncertain, because it needs to be executed many times during the graphQL request resolution (remember, one per nested object apart from the initial operation check).
Maybe I can make a workaround regarding the subscriptions using notifications and refresh the queries, but I'll have to look into that as well.
Anyone else with this problem too? How do you plan to, or have solved it?
Any help will be much appreciated
Carlos
At this point AppSync supports AuthZ checks using the metadata in the resource you are querying, or you can pass through the data and check it in the resolver. For instance you can store authorization metadata on the DynamoDB table and check it and then return data, but you cannot check a separate data source. However there will be more auth methods opened up in the future as AppSync is still not GA.
In the meantime some options:
Use Lambda as your resolver and do your AuthZ check there before reading/writing to DynamoDB
Federate your Auth0 identity with AWS IAM and use those credentials in the resolver as a check. AppSync supports these credentials.
Check the JWT claims in the resolver that you pass through for your AuthZ check. You can use
$context.identity.claims.attrib�in the Velocity language for this.
Please keep checking the AppSync documentation page in the coming months as the service evolves for more options here.
EDIT There is now a guide in the documentation for AppSync authorization scenarios and use cases: https://docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html
EDIT #2 There is a new blog post for using multiple data sources with your resolvers for advanced authorization scenarios: https://hackernoon.com/graphql-authorization-with-multiple-data-sources-using-aws-appsync-dfae2e350bf2
这篇关于AWS AppSync 授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
