Appsync OPENID_CONNECT support?

[tuomassalo]

I'd like to use AppSync - but with OpenID Connect instead of Cognito. Since I've found no example code anywhere (!), I've been trying to modify this repo for the purpose.

For now, I've done more or less these steps:

• added this to app-backend/appsync/dynamo/serverless.yml:

authenticationType: OPENID_CONNECT
openIdConnectConfig:
  issuer: https://MYTEST.ngrok.io # running a node-oidc-provider
  authTTL: 3600000
  iatTTL: 3600000
  clientId: # (see below)

• updated serverless-appsync-plugin to 1.x and fixed some migration stuff as per https://github.com/sid88in/serverless-appsync-plugin#-migration-from-versions-prior-to-10

• updated most of the modules in app-client/appsync-client/package.json

• disabled Amplify and withAuthenticator from /Users/naapuri/dev/witchcase/app-client/appsync-client/src/App.js - ** should I not do that?**

• tried to manually inject an id token:

const client = new AWSAppSyncClient({
  url: process.env.REACT_APP_GRAPHQL_ENDPOINT,
  region: process.env.REACT_APP_AWS_CLIENT_REGION,
  auth: {
    type: AUTH_TYPE.OPENID_CONNECT,
    jwtToken: async () =>
      'ey...', // an id_token copied manually
  },
});

Now my application sends the token as Authorization: ey... within GraphQL endpoint queries. The GraphQL queries give me errors as follows:

• If the token is expired or malformed, I get a 401 and a decent error message telling me that.

• If I have set a value to clientId in AppSync settings, I get a 401:

{
  "errors" : [ {
    "errorType" : "UnauthorizedException",
    "message" : "Unauthorized"
  } ]
}

• And finally, if I leave clientId empty (or give it the same value as the aud (!) param of my token), I get a 500:

{
  "errors" : [ {
    "errorType" : "InternalFailure"
  } ]
}

Now I'm quite stuck, since the GraphQL endpoint is a black box, and even if I enable AppSync logging, there's nothing informative in CloudWatch logs. My ngrok inspector show that an AWS server makes two (successful) requests to my OIDC test server: one to /certs and another one to /.well-known/openid-configuration.

Any idea what I might be missing? Or, any pointers where to start for using OIDC with AppSync?

[sid88in]

@tuomassalo you might want to create this issue in serverless-appsync-plugin (more active)

[shukob]

I experienced similar problems using custom OIDC provider implementation using node-oidc-provider. I do not know if this is related, but the following settings worked:

        formats: {
            default: 'opaque',
            AccessToken: 'jwt'
        },
        scopes: ['openid', 'offline_access'],
        subjectTypes: ['public', 'pairwise'],
        clientCacheDuration: 1 * 24 * 60 * 60, // 1 day in seconds,
        ttl: {
            AccessToken: 1 * 60 * 60, // 1 hour in seconds
            AuthorizationCode: 10 * 60, // 10 minutes in seconds
            IdToken: 1 * 60 * 60, // 1 hour in seconds
            DeviceCode: 10 * 60, // 10 minutes in seconds
            RefreshToken: 1 * 24 * 60 * 60 // 1 day in seconds
        },
        features: {
            devInteractions: false,
            discovery: true,
            requestUri: true,
            oauthNativeApps: true,
            pkce: true,
            backchannelLogout: true,
            frontchannelLogout: true,
            claimsParameter: true,
            clientCredentials: true,
            encryption: true,
            introspection: true,
            jwtIntrospection: true,
            alwaysIssueRefresh: true,
            registration: false,
            registrationManagement: false,
            request: true,
            revocation: true,
            sessionManagement: false,
            webMessageResponseMode: true // defaults to false
        }

I suspect JWT and pairwise related availability is required.

[maxpastor]

Anything new on this subject ?
I encounter the same problem and can't find a way to make it work.