Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with Auth rules - Owner and custom group claim. #7037

Closed
rajbachu6 opened this issue Apr 8, 2021 · 2 comments
Closed

Issue with Auth rules - Owner and custom group claim. #7037

rajbachu6 opened this issue Apr 8, 2021 · 2 comments

Comments

@rajbachu6
Copy link

rajbachu6 commented Apr 8, 2021
edited
Loading

Before opening, please confirm:

I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
I have searched for duplicate or closed issues.
I have read the guide for submitting bug reports.
I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

node 14.15.5 is been used

Amplify CLI Version

4.45.0

What operating system are you using?

Windows

Amplify Categories

auth

Amplify Commands

Not applicable

Describe the bug

We are implementing multitenant functionality using amplify. For that we have written auth rules and using Auth PreToken genertaion to add claims and groups at the time of user login.

It is working as expected in AWS Console Appsync GraphiQL. But the same is partially working when we are testing with Postman API call.

i.e. I am able to fetch records for Teams model using Postman API call but not for User model.

Expected behavior

Results should be consistent on the AWS Console Appsync GraphiQL and other modes of access ( Node script or the postman)

Reproduction steps

we are trying to achieve multitenant behavior,

  1. code project added into github - https://github.com/rhorohit/amplifyMultitenant
    otherwise, follow the below steps -
  2. create a project with the below schema -
  3. add auth with -
    a) Cognito user pool and the API key,
    b) one Cognito group called "InternalAdmin"
    c) pretoken generation trigger, with the code and update the config file with your graphql endpoints https://github.com/rhorohit/amplifyMultitenant/blob/main/amplify/backend/function/amplifyauthprojectc0e31684PreTokenGeneration/src/index.js

GraphQL schema(s)

# Put schemas below this line
type Tenant @model @auth(rules: [
    { allow: public, provider: apiKey, operations: [read] },
    { allow: groups, groups: ["InternalAdmin"], operations: [create, read, update, delete]},
    { allow: groups, groupsField: "id", operations: [read, update] }
    { allow: groups, groupsField: "id", groupClaim: "teamAdmin", operations: [read] }    
  ]) {
  id: ID!
  name: String!
  details: String
  createdAt: AWSDateTime
  updatedAt: AWSDateTime
  teams: [Team] @connection(keyName: "byTenant", fields: ["id"])
}

type User @model @auth(rules: [
    { allow: public, provider: apiKey, operations: [read] },
    # allow the User to read, update their own User record
    { allow: owner, ownerField: "id", identityClaim: "userID", operations: [create, read, update]},
    # static group
    { allow: groups, groups: ["InternalAdmin"], operations: [create, read, update, delete]},
    { allow: groups, groupsField: "tenantID", operations: [create, read, update] }
    { allow: groups, groupsField: "tenantID", groupClaim: "teamAdmin", operations: [read] }    
  ]) @key(name: "userByEmail", fields: ["email"], queryField: "userByEmail")
{
  id: ID
  email: String
  tenantID: ID!
  tenant: Tenant @connection (fields: ["tenantID"])
  firstName: String!
  lastName: String
  teams: [UserTeam] @connection(keyName: "byUser", fields: ["id"])
  userRole: [UserType!]!
}

enum UserType {
  TeamManager
  SubAgent
  Customer
  TenantAdmin
  InternalAdmin
}

type Team @model  @auth(rules: [
    { allow: public, provider: apiKey, operations: [read] },
    { allow: groups, groups: ["InternalAdmin"], operations: [create, read, update, delete]},
    { allow: groups, groupsField: "tenantID", operations: [create, read, update, delete] }
    { allow: groups, groupsField: "id", operations: [read, update] }
  ])
  @key(name: "byTenant", fields: ["tenantID", "teamName"]){
  id: ID!
  teamName: String!
  tenantID: ID!
  users: [UserTeam] @connection(keyName: "byTeam", fields: ["id"])
}

type UserTeam @model
 @auth(rules: [
    { allow: public, provider: apiKey, operations: [read]  },
    {allow: groups, groups: ["InternalAdmin"], operations: [create, read, update, delete]}
    { allow: groups, groupsField: "tenantID", operations: [create, read, update, delete] }
    { allow: groups, groupsField: "tenantID", groupClaim: "teamAdmin", operations: [read] }   
  ])
  @key(name: "byUser", fields: ["userID", "teamID"])
  @key(name: "byTeam", fields: ["teamID", "userID"]) {
  id: ID!
  teamID: ID!
  userID: ID!
  tenantID: ID!
  createdAt: AWSDateTime
  updatedAt: AWSDateTime
  team: Team! @connection(fields: ["teamID"])
  user: User! @connection(fields: ["userID"])
}

input createUserSignupInput {
  id: ID
  email: String!
}

Log output

# Put your logs below this line

Find the results fetched when script in step 4 will be executed: a) User - Tenant Admin => Fetches Tenant, Team and User recods b) User - Team Manager => Fetches Team records only but it should fetch User records as well c) User - Sub Agent => It fetches nothing but it should fetch User records.

Successful data retrieval on Appsync GraphiQL Explorer
UserRole: Team Manager => This user is able to retrieve Team as well as User records

113997903-32285900-9876-11eb-8229-2273c3764dee

Failed to retrieve the Data from Postman API Call: i) UserRole: Team Manager => This user is able to retrieve Team data.
( one can follow this link for postman connectivity https://stackoverflow.com/questions/52287506/how-do-i-integrate-amazon-cognito-login-in-postman)

113997229-90087100-9875-11eb-8681-ba93f95c0f80
113997477-ce9e2b80-9875-11eb-87a4-6bbc95ba4e3e

Expected Result: Results should be consistant when fetch request triggers from any source, either it's AWS Amplify Appsync Console or Node script or Postman API call...
@rhorohit rhorohit mentioned this issue Apr 8, 2021
Open
@rajbachu6
Copy link
Author

With the suggestion from @paulsson, aws-amplify/amplify-category-api#449,
I compared the headers and noticed that appsync console query is using the IDToken as the Authorization param, whereas the amplify API call and the postman calls were using the Access Token.
With the help of aws-amplify/amplify-data#485, I have made changes to have my API use the IDToken instead of the access token.
My Problem Solved. Now we have the proper Auth rules working.

@github-actions
Copy link

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 24, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rajbachu6