Search code examples
amazon-cognitoaws-amplifyaws-appsync

Appsync Resolver no email in claim

I have created a resolver that uses the email address ($context.identity.claims.email). I tested my query in the AWS Console "Queries" section and all worked fine as $context.identity.claims looked as expected;

{
    sub: 'xxx-xxx-xxx-xxx-xxx',
    aud: 'xxxxxxxxx',
    email_verified: true,
    sub: 'xxx-xxx-xxx-xxx-xxx',
    token_use: 'id',
    auth_time: 1563643503,
    iss: 'https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-1_xxxxx',
    'cognito:username': 'xxxx',
    exp: 1563647103,
    iat: 1563643503,
    email: 'xxx@xxx.xxx'
}

All looks good so lets use it in my React App that uses the AWS Amplify code for authentication. Its not working now and that is because there is no "email" in the claim section! It looks like this;

{
    sub: 'xxx-xxx-xxx-xxx-xxx',
    event_id: 'xxx-xxx-xxx-xxx-xxx',
    token_use: 'access',
    scope: 'aws.cognito.signin.user.admin',
    auth_time: 1563643209,
    iss: 'https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-1_xxxx',
    exp: 1563646809,
    iat: 1563643209,
    jti: 'xxx-xxx-xxx-xxx-xxx',
    client_id: 'xxxx',
    username: 'xxxx'
}

Can anyone help me out as to why the email shows in the AWS Console Query but not when I call it from my own client?

Solution

  • Ok, so I think they is in the "token_use" element. My original code used this function;

    import {API, graphqlOperation} from 'aws-amplify';
import * as queries from '../../graphql/queries';

async function makeCall() {
    let resp = await API.graphql(graphqlOperation(queries.getMeta));
    return resp.data.getMeta;
}

    That code produces the observed above. If I use the following (very dirty but works) code I get the above expected result;

    import {Auth, API, graphqlOperation} from 'aws-amplify';
import axios from 'axios';
import * as queries from '../../graphql/queries';

async function makeCall() {
    const curSesh = await Auth.currentSession();
    const token = curSesh.idToken.jwtToken;
    const resp = await axios({
        method: 'post',
        url: API._options.aws_appsync_graphqlEndpoint,
        data: graphqlOperation(queries.getMeta),
        headers: {
            authorization: token
        }
    });
    return resp.data.data.getMeta;
}

    I am not going mark this as solved quite yet as I am sure there is a far cleaner way to get this working. If anyone can shed light on it I would love to learn.