Using Guest Credentials?

[cto-leaps]

I'm desperately trying to figure out how to have a user access my graphql endpoint anonymously.
My back end is set up correctly with auth to do so, and my graphql schema authorizes operations such as read for some models.

However, I can't seem to find any documentation on how to proceed to have an anonymous user get credentials and access these models.
Any example available?
Anyone has managed to have both anonymous and logged in users actions work in their app?
How do you migrate an anonymous user to a registered one?

I know lots of questions but I am really lacking documentation here.
Help 🙏

[haverchuck]

@cto-leaps Are you using a Cognito User Pool in combination with a Cognito Identity Pool? If not, what mechanism are you trying to use?

[cto-leaps]

@haverchuck hey, Yes I am using user pool and identity pool

[SalahAdDin]

I'm desperately trying to figure out how to have a user access my graphql endpoint anonymously.
My back end is set up correctly with auth to do so, and my graphql schema authorizes operations such as read for some models.

However, I can't seem to find any documentation on how to proceed to have an anonymous user get credentials and access these models.
Any example available?
Anyone has managed to have both anonymous and logged in users actions work in their app?
How do you migrate an anonymous user to a registered one?

I know lots of questions but I am really lacking documentation here.
Help

It is not possible to guess to fetch objects from database?

[cto-leaps]

@SalahAdDin Nope, when I try a Amplify.Auth.fetchAuthSession(), I do get AWSCredentials, but later, when I try to query my public (IAM) accessible GraphQL model, I get a

{message: Failed to retrieve Cognito UserPool token., underlyingException: L’opération n’a pas pu s’achever. (Amplify.AuthError erreur 6.), recoverySuggestion: }, null))

error...
Any idea?

[ragingsquirrel3]

@cto-leaps sorry you having this issue. I was able to reproduce this error with the example API app in this repository when I configured the api to use IAM. I was able to make guest access in the same app only work when configured with API key access instead of IAM. I will keep investigating.

[djsjr]

Any update on this?

I have the same problem. Using auth rule "allow: public, provider: iam" but can only query when logged in. I already have guest access set up through auth.

Query as guest produces this result: "flutter: Query failed: ApiException(message: Failed to retrieve Cognito UserPool token., recoverySuggestion: , underlyingException: The operation couldn’t be completed. (Amplify.AuthError error 6.))"

Could this be related to the IAM policy for the unauthenticated role?

[ragingsquirrel3]

Hello @cto-leaps . Thanks for your patience while I looked into this. I agree it’s confusing as I spent a lot of time to understand it myself. There may be 2 issues at play here:

1. Using guest access for a single auth mode, either with API keys or IAM authorization
2. Using multiple auth modes.

We just added support for #2 via @jodafm’s PR adding support for the apiName parameter to GraphQL requests with version 0.2.2. There is some documentation for that available at the bottom of https://docs.amplify.aws/lib/graphqlapi/authz/q/platform/flutter which has been recently added. Alone, this may not solve your problem, but it allows for many more options when supporting this kind of functionality. For example, you could restrict mutations to logged in users via cognito user pools and allow reading via IAM/api keys, assuming your auth resource has guest access enabled as seen on https://docs.amplify.aws/lib/auth/guest_access/q/platform/flutter. In that case, your schema would have auth directives similar to

@auth(
rules: [
{ allow: private, provider: userPools, operations: [create, update, delete] },
{ allow: public, provider: iam, operations: [read] },
]) {

and that your amplifyconfiguration has entries for both auth modes like the example on the documentation page.

For #1, guest access can be supported in a single auth mode with either API keys (not suggested for write access) or IAM. You mentioned above that you wanted guest access for some operations plus authenticated access for others. In an example app, I was able to get that working with similar auth directives like:

@auth(
rules: [
{ allow: private, provider: iam, operations: [create, update, delete] },
{ allow: public, provider: iam, operations: [read] },
])

This can allow guest access along with authenticated access but does not allow for some features only supported by user pools, like owner-based access. In these use cases, multiple auth modes is handy.

While that’s a little summary, I might be missing some information or might have misread some details from your earlier comments. Which authorization mode(s) are you trying to use with the apiPlugin? Would it be possible to include relevant portions of your graphql schema here as well as amplifyconfiguration.dart file (removing/anonymizing anything you’re not comfortable with)?

[offlineprogrammer]

Hi @cto-leaps

I am closing this issue for now as we didn't hear from you
We can reopen it if you are still facing the issue and when you provide more details

Regards
Mo

[cto-leaps]

So sorry @offlineprogrammer for my silence. I really thought I had commented back.
I managed differently in the end but if I have to switch back to my original needs, I will holler back.

[a9udn9u]

For example, you could restrict mutations to logged in users via cognito user pools and allow reading via IAM/api keys, assuming your auth resource has guest access enabled as seen on https://docs.amplify.aws/lib/auth/guest_access/q/platform/flutter. In that case, your schema would have auth directives similar to

@auth(
rules: [
{ allow: private, provider: userPools, operations: [create, update, delete] },
{ allow: public, provider: iam, operations: [read] },
]) {

and that your amplifyconfiguration has entries for both auth modes like the example on the documentation page.

@ragingsquirrel3

I have this exact permission setup, it worked well in my JavaScript app for 2 years, now I'm porting the app to Flutter but anonymous access doesn't work.

• In the JS app I passed authMode: GRAPHQL_AUTH_MODE.AWS_IAM for guest users (works).
• In Flutter I passed apiName: 'foo_public' (doesn't work), my amplifyconfiguration.dart looks like:

   "api": {
       "plugins": {
           "awsAPIPlugin": {
               "foo": {
                   "endpointType": "GraphQL",
                   "endpoint": "...",
                   "region": "...",
                   "authorizationType": "AMAZON_COGNITO_USER_POOLS"
               },
               "foo_public": {
                   "endpointType": "GraphQL",
                   "endpoint": "...",
                   "region": "...",
                   "authorizationType": "AWS_IAM"
               }
           }
       }
   },
  

Did I miss anything?

BTW, why the APIs are different on different platforms (authMode on JS and apiName on Flutter)? Also, for JS apps there's no need to update amplify config, but on Flutter we have to add entries manually to amplifyconfiguration.dart, which is an automatically generated file, won't every amplify pull overwrite the manual edit (I haven't tried so apologize if I'm wrong)?

[0xAPPA]

I can confirm the behavior described by @a9udn9u.

Even though I configured AMAZON_COGNITO_USER_POOLS as defaultAuthType and AWS_IAM as additionalAuthTypes during amplify update api, amplifyconfiguration.dart only shows the cognito user pool.

After adding the additional auth type manually everything worked but those changes of course will be lost after running amplify pull because amplifyconfiguration.dart is regenerated.

Are the amplify devs aware that the cli parameter additionalAuthTypes is not reflected in amplifyconfiguration.dart ?

Fom my current understanding you have to do the following in order to enable authenticated access and guest (anonymous) access:

1. Run amplify update auth and configure Guest Access. You will see two new policies in your IAM where you can configure permissions.
2. Run amplify update api and configure multiple authorization modes.
3. Set the desired permissions in your schema.graphql:

// example
@auth(rules: [
    { allow: public, provider: iam, operations: [read] }, // allow unauthenticated users aka guests to read
    { allow: private, provider: userPools, operations: [create, read] } // allow authenticated users to read and write
])

5. Run amplify codegen models and amplify push.
6. Extend amplifyconfiguration.dart manually with the additional auth type like @a9udn9u already mentioned. Be aware that these changes will be deleted on amplify pull.

 "api": {
     "plugins": {
         "awsAPIPlugin": {
             "foo": {
                 "endpointType": "GraphQL",
                 "endpoint": "...",
                 "region": "...",
                 "authorizationType": "AMAZON_COGNITO_USER_POOLS"
             },
             "foo_public": {
                 "endpointType": "GraphQL",
                 "endpoint": "...",
                 "region": "...",
                 "authorizationType": "AWS_IAM"
             }
         }
     }
 },

8. Specify the auth mode in your graphql query:

// example
final path = 'listTasks'
final query = Amplify.API.query(
        request: GraphQLRequest(
            document: '''query ListTasks {
              $path {
                items {
                  id
                  name
                }
              }
            }''',
            apiName: 'foo-public',       // or foo for authenticated access
            modelType: const PaginatedModelType(Task.classType),
            decodePath: path),
 );

DataStore does not seem to support multiple authorization modes, so you have to rely on graphql queries.

Created an issue for the problem with additionalAuthTypes in amplifyconfiguration.json.