I have set up AppSync to use OIDC / OpenID Connect as authoriser and have gotten token on client successfully. I am not using cognito. I am now trying to figure out following:
I am using apollo sdk to interact with my AppSync GraphQL api, how do I pass this open id token from client to it? I assume it has to be some sort of header, but I am unable to find any docs on what AppSync expects it to be.
Once I pass the token, how do I access its claims in AppSync / AppSync resolver, after it has been verified and token data extracted?
const client = new AWSAppSyncClient({
url: ...,
region: ...,
auth: {
type: 'OPENID_CONNECT',
jwtToken: async() => token // Token from Firebase
}
})
$context.identity . Some of these claims are standard claims (specified by OpenID Connect) and others are custom claims (unique to your project). The shape of $context.identity will be similar to one emitted had you used AWS Cognito instead of Firebase:{
"sub" : "...", // standard claim - straight from the token
"issuer" : "...", // standard claim - straight from the token
"username" : "...",
"claims" : { ... }, // custom claims from the token
"sourceIp" : ["x.x.x.x"],
"defaultAuthStrategy" : "..."
}
As you can see above, sub and iss are two standard claims that are mapped directly from the token. All other claims from the token are surfaced as custom claims. They can be retrieved via $context.identity.claims.get()
You could then use these claims in a resolver and act on them in a standard fashion.