Authenticating AppSync mutation using AWS Cognito User pool on Graphql playground

1
votes

A very basic scenario where I want to test an AppSync mutation on Graphql playground which was working fine with API key authentication.

I have attached an additional authorization provider besides the API key authentication.

screenshot for additional authorization

Mutation:

type Mutation {
  createPitch(gameID: ID!, pitchID: Int!, pitchEvent: PitchInput!): Pitch
    @aws_api_key
  predictPitch(userID: String!, gamePitchID: String!, prediction: PredictionInput): Prediction
    @aws_cognito_user_pools
}

Invoking predictPitch mutation on graphql playground:

mutation PredictPitch($prediction:PredictionInput) {
  predictPitch(userID: "12345", gamePitchID: "29fb2xx-xxxxx-xxxxx-1", 
  prediction: $prediction ) {
    gameID
    gamePitchID
  }
}

query variables:

{
  "prediction": {
    "gameID": "29",
    "hitterGuess": "Miss",
    "pitcherGuess": "Fastball"
  }
}

Headers:


{
  "X-API-KEY": "da2-o6fs2lq47vbehexxxxxxxx",
  "Authorization": "Bearer xxxx-the-pretty-long-jwt-token-from-cognito login"
}

I have tried Authorization header alone and in conjunction with x-api-key. Nothing worked so far. I am pretty sure I am missing a very tiny bit. 

{
  "error": {
    "errors": [
      {
        "errorType": "UnauthorizedException",
        "message": "Valid authorization header not provided."
      }
    ]
  }
}

NOTE: The JWT token AccessToken is generated via aws-cli aws cognito-idp admin-initiate-auth.

1
graphqlaws-appsync
In case of just Authorization header, I am also using Cognito user pool to authenticate queries and in addition to the directive in query definition, I also have the same directive on all the objects (type) that the query is accessing. In case of both (Authorization and API Key), I tried and it works if I define both directives (aws_cognito_user_pools and aws_api_key) with the query and objects that query is trying to access. So for your case, you can try to add directives with 'Pitch' and 'Pridiction'. Maybe this could give you some hint. - Myz

1 Answers

3
votes

I had to add @aws_cognito_user_pools on type Prediction along with my mutation.

type Prediction @aws_cognito_user_pools {
   gameID
   gamePitchID
}

Also, from Cognito I had to use idToken like so:

{
   "Authorization": "xxxxxxxxxx"
}

Do notice the Bearer is missing.