Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom claims not working any longer after upgrading to v6 #12643

Closed
3 tasks done
hanna-becker opened this issue Nov 28, 2023 · 7 comments
Closed
3 tasks done

Custom claims not working any longer after upgrading to v6 #12643

hanna-becker opened this issue Nov 28, 2023 · 7 comments
Assignees
Labels
Auth Related to Auth components/category GraphQL Related to GraphQL API issues investigating This issue is being investigated to-be-reproduced Used in order for Amplify to reproduce said issue V6 V6 of Amplify JS

Comments

@hanna-becker
Copy link

hanna-becker commented Nov 28, 2023

Before opening, please confirm:

JavaScript Framework

Angular

Amplify APIs

Authentication, GraphQL API, Storage

Amplify Categories

auth, storage, function, api

Environment information

# Put output below this line

➜ npx envinfo --system --binaries --browsers --npmPackages --duplicates --npmGlobalPackages
Need to install the following packages:
[email protected]
Ok to proceed? (y)

  System:
    OS: Linux 5.15 Ubuntu 22.04.3 LTS 22.04.3 LTS (Jammy Jellyfish)
    CPU: (24) x64 AMD Ryzen 9 5900X 12-Core Processor
    Memory: 23.30 GB / 31.31 GB
    Container: Yes
    Shell: 5.1.16 - /bin/bash
  Binaries:
    Node: 18.18.2 - ~/.nvm/versions/node/v18.18.2/bin/node
    Yarn: 1.22.21 - ~/.nvm/versions/node/v18.18.2/bin/yarn
    npm: 9.8.1 - ~/.nvm/versions/node/v18.18.2/bin/npm
  Browsers:
    Chrome: 119.0.6045.159
    Chromium: 119.0.6045.159
  npmPackages:
    @amplitude/analytics-browser: ^2.2.3 => 2.3.5
    @angular-builders/jest: ^17.0.0 => 17.0.0
    @angular-devkit/build-angular: ^17.0.3 => 17.0.3
    @angular-eslint/builder: ^17.1.0 => 17.1.0
    @angular-eslint/eslint-plugin: ^17.1.0 => 17.1.0
    @angular-eslint/eslint-plugin-template: ^17.1.0 => 17.1.0
    @angular-eslint/schematics: ^17.1.0 => 17.1.0
    @angular-eslint/template-parser: ^17.1.0 => 17.1.0
    @angular/animations: ^17.0.4 => 17.0.4
    @angular/cdk: ^17.0.1 => 17.0.1
    @angular/cli: ^17.0.3 => 17.0.3
    @angular/common: ^17.0.4 => 17.0.4
    @angular/compiler: ^17.0.4 => 17.0.4
    @angular/compiler-cli: ^17.0.4 => 17.0.4
    @angular/core: ^17.0.4 => 17.0.4
    @angular/forms: ^17.0.4 => 17.0.4
    @angular/language-service: ^17.0.4 => 17.0.4
    @angular/material: ^17.0.1 => 17.0.1
    @angular/platform-browser: ^17.0.4 => 17.0.4
    @angular/platform-browser-dynamic: ^17.0.4 => 17.0.4
    @angular/router: ^17.0.4 => 17.0.4
    @angular/youtube-player: ^17.0.1 => 17.0.1
    @aws-amplify/ui-angular: ^5.0.2 => 5.0.2
    @babel/core: ^7.20.2 => 7.23.3 (7.23.2)
    @babel/plugin-proposal-decorators: ^7.22.3 => 7.23.3
    @babel/preset-env: ^7.22.4 => 7.23.3 (7.23.2)
    @babel/preset-typescript: ^7.21.5 => 7.23.3
    @bahmutov/cypress-esbuild-preprocessor: ^2.2.0 => 2.2.0
    @commitlint/cli: ^17.6.6 => 17.8.1
    @commitlint/config-conventional: ^17.6.6 => 17.8.1
    @cypress/angular:  0.0.0-development
    @cypress/mount-utils:  0.0.0-development
    @cypress/react:  0.0.0-development
    @cypress/react18:  0.0.0-development
    @cypress/schematic: ^2.5.1 => 2.5.1
    @cypress/svelte:  0.0.0-development
    @cypress/vue:  0.0.0-development
    @cypress/vue2:  0.0.0-development
    @esbuild-plugins/node-globals-polyfill: ^0.2.3 => 0.2.3
    @esbuild-plugins/node-modules-polyfill: ^0.2.2 => 0.2.2
    @frsource/cypress-plugin-visual-regression-diff: ^3.3.10 => 3.3.10
    @jspm/core: ^2.0.1 => 2.0.1
    @juggle/resize-observer: ^3.3.1 => 3.4.0
    @ngrx/component: ^17.0.0 => 17.0.1
    @ngrx/effects: ^17.0.0 => 17.0.1
    @ngrx/entity: ^17.0.0 => 17.0.1
    @ngrx/router-store: ^17.0.0 => 17.0.1
    @ngrx/store: ^17.0.0 => 17.0.1
    @ngrx/store-devtools: ^17.0.0 => 17.0.1
    @types/jest: ^29.5.3 => 29.5.10
    @types/node: ^20.2.5 => 20.10.0 (20.5.1, 18.18.13, 14.18.63)
    @types/spotify-web-playback-sdk: ^0.1.15 => 0.1.19
    @typescript-eslint/eslint-plugin: ^5.59.1 => 5.62.0
    @typescript-eslint/parser: ^5.59.1 => 5.62.0
    angular-audio-context: ^35.0.7 => 35.0.7
    autoprefixer: ^10.4.7 => 10.4.16
    aws-amplify: ^6.0.5 => 6.0.5
    aws-amplify/adapter-core:  undefined ()
    aws-amplify/analytics:  undefined ()
    aws-amplify/analytics/kinesis:  undefined ()
    aws-amplify/analytics/kinesis-firehose:  undefined ()
    aws-amplify/analytics/personalize:  undefined ()
    aws-amplify/analytics/pinpoint:  undefined ()
    aws-amplify/api:  undefined ()
    aws-amplify/api/server:  undefined ()
    aws-amplify/auth:  undefined ()
    aws-amplify/auth/cognito:  undefined ()
    aws-amplify/auth/cognito/server:  undefined ()
    aws-amplify/auth/server:  undefined ()
    aws-amplify/datastore:  undefined ()
    aws-amplify/in-app-messaging:  undefined ()
    aws-amplify/in-app-messaging/pinpoint:  undefined ()
    aws-amplify/push-notifications:  undefined ()
    aws-amplify/push-notifications/pinpoint:  undefined ()
    aws-amplify/storage:  undefined ()
    aws-amplify/storage/s3:  undefined ()
    aws-amplify/storage/s3/server:  undefined ()
    aws-amplify/storage/server:  undefined ()
    aws-amplify/utils:  undefined ()
    aws-sdk: ^2.1360.0 => 2.1505.0
    babel-loader: ^9.1.2 => 9.1.3
    babel-plugin-dynamic-import-node: ^2.3.3 => 2.3.3
    chokidar: ^3.5.2 => 3.5.3
    commitizen: ^4.3.0 => 4.3.0
    cross-spawn: ^7.0.3 => 7.0.3
    cypress: 12.14.0 => 12.14.0
    cypress-duration-metrics: ^1.1.2 => 1.1.2
    cypress-social-logins: ^1.14.1 => 1.14.1
    cz-conventional-changelog: ^3.3.0 => 3.3.0
    echarts: ^5.4.3 => 5.4.3
    esbuild: ^0.19.8 => 0.19.8 (0.19.5, 0.18.20)
    eslint: ^8.38.0 => 8.54.0
    eslint-config-prettier: ^8.5.0 => 8.10.0
    eslint-plugin-cypress: ^2.15.1 => 2.15.1
    eslint-plugin-import: 2.27.5 => 2.27.5
    eslint-plugin-jsdoc: 43.0.0 => 43.0.0
    eslint-plugin-ngrx: ^2.1.4 => 2.1.4
    eslint-plugin-no-skipped-tests: file:./eslint-plugin-no-skipped-tests => 1.7.0
    eslint-plugin-prefer-arrow: 1.2.3 => 1.2.3
    eslint-plugin-prettier: ^5.0.0 => 5.0.1
    eslint-plugin-rxjs: ^5.0.2 => 5.0.3
    eslint-plugin-rxjs-angular: ^2.0.1 => 2.0.1
    everpolate: 0.0.3 => 0.0.3
    express: ^4.17.1 => 4.18.2
    fabric: 6.0.0-beta15 => 6.0.0-beta15
    finalhandler: ^1.1.2 => 1.2.0 (1.1.0)
    http: 0.0.1-security => 0.0.1-security
    husky: ^8.0.3 => 8.0.3
    jest: ^29.6.2 => 29.7.0
    jest-junit: ^16.0.0 => 16.0.0
    jest-preset-angular: ^13.1.4 => 13.1.4
    ngrx-store-freeze: ^0.2.4 => 0.2.4
    ngx-echarts: ^17.1.0 => 17.1.0
    ngx-file-drop: ^15.0.0 => 15.0.0
    ngx-image-cropper: ^6.3.3 => 6.3.4
    ngx-scrollbar: ^13.0.3 => 13.0.3
    node-fetch: ^3.2.4 => 3.3.2 (2.7.0)
    pako: ^2.1.0 => 2.1.0 (1.0.11)
    spotify-web-api-js: ^1.5.2 => 1.5.2
    standard-version: ^9.5.0 => 9.5.0
    start-server-and-test: ^1.14.0 => 1.15.5
    supports-webp: ^3.0.0 => 3.0.0
    swiper: ^8.4.5 => 8.4.7
    swiper_angular:  0.0.1
    tailwindcss: ^3.1.4 => 3.3.5
    ts-jest: ^29.1.1 => 29.1.1
    ts-node: ^10.9.1 => 10.9.1
    typescript: ~5.2.2 => 5.2.2 (5.3.2)
    uuid: ^9.0.0 => 9.0.1 (8.3.2, 8.0.0)
    wavesurfer.js: ^6.6.4 => 6.6.4
    webpack: ^5.84.1 => 5.89.0
    webpack-bundle-analyzer: ^4.8.0 => 4.10.1
    zen-observable-ts: ^1.1.0 => 1.1.0
    zone.js: ~0.14.2 => 0.14.2
  npmGlobalPackages:
    @angular/cli: 17.0.2
    @aws-amplify/cli: 12.8.2
    @expo/ngrok: 4.1.3
    corepack: 0.19.0
    eas-cli: 5.9.1
    npm: 9.8.1
    yarn: 1.22.21




Describe the bug

This bug is related to the one opened here, but slightly different, as it affects custom claims, not group claims. While GROUP claims still work for queries and mutations in our case, CUSTOM claims stopped working altogether in amplify v6.

This is our model of a Project. There are members that have read-write permissions and there are invitees that have read-only permissions:

type Project
  @model(
    queries: { get: "getProject" }
    mutations: { create: "createProject", update: "updateProject" }
    subscriptions: null
  )
  @auth(
    rules: [
      { allow: owner }
      { allow: groups, groupsField: "group", operations: [read, update] } # We add these claims in alter-claim.js - called by PreToken generator Lambda
      { allow: groups, groupsField: "group", groupClaim: "project:invitee", operations: [read] }
    ]
  ) {
  id: ID!
  group: String! # Duplicate of id -> workaround until https://github.com/aws-amplify/amplify-cli/issues/9788 is fixed
  name: String!
  description: String
  ...
}

In the pre token generation lambda, we add those permissions as custom/group claims, respectively:

// in alter-claims.js
const projectIDsReadWrite = await queryMemberProjectIDs(userID);
const projectIDsReadOnly = await queryInvitedProjectIDs(userID);

event.response = {
  claimsOverrideDetails: {
    claimsToAddOrOverride: {
      'project:invitee': JSON.stringify(projectIDsReadOnly), // this custom claim stopped working altogether in amplify v6
    },
    groupOverrideDetails: {
      groupsToOverride: projectIDsReadWrite, // this group claim works for queries & mutations
    },
  },
};

Looking at the idToken in the browser (In Chrome dev tools: Application -> Local storage -> localhost/app url -> CognitoIdentityServiceProvider.{{sth.sth}}.idToken -> decode value e.g. here: https://jwt.io/), I can see the claims are still being set correctly from the pre token lambda function. The payload json looks something like this (ids are altered for this post). This is for my test user who is a full member of 2 projects (read-write access) and invited to another one (read-only access). :

{
  "sub": "12345678-9101-1121-3141-5161171819202"
  "cognito:groups": [
    "f411ed1b-3de8-41cf-b1ac-6fd21ec001d8",
    "8a57b40c-270c-45f0-94d6-68b3ac666d42"
  ],
  "project:invitee": "[\"5332e068-0aab-4738-bd97-897f1a7bace4\"]",
  ...
}

However, when querying read-only projects for this user, I get an unauthorized error from the grapqhql API call, indicating the read-only claim is potentially not being applied correctly:

"errorType":"Unauthorized"
"message":"Not Authorized to access getMusicProject on type Query"

This is working with amplify v5.

As opposed to the subscription issue I referenced above, we know the idToken is being passed down correctly for the query. Otherwise we would also see authorization errors for for the 2 projects our test user is a member of. But there seems to have been some parsing logic on the custom claim in v5 that is not there any more or different in v6.

Expected behavior

We can use custom claims as in v5 without getting unauthorized errors.

Reproduction steps

Reproduction steps:

  1. Create an amplify app with Cognito user pool, no datastore, and this schema:
type Project
  @model(
    queries: { get: "getProject" }
    mutations: { create: "createProject", update: "updateProject" }
    subscriptions: null
  )
  @auth(
    rules: [
      { allow: owner }
      { allow: groups, groupsField: "group", operations: [read, update] } # We add these claims in alter-claim.js - called by PreToken generator Lambda
      { allow: groups, groupsField: "group", groupClaim: "project:invitee", operations: [read] }
    ]
  ) {
  id: ID!
  group: String! # Duplicate of id -> workaround until https://github.com/aws-amplify/amplify-cli/issues/9788 is fixed
  name: String!
  description: String
  ...
}
  1. Create a Cognito user that can log into the application, e.g. via the authenticator component from one of the amplify-ui packages.
  2. Create 2 projects in DDB that each have the owner set to something other than the user's id.
  3. Use amplify update auth command with the amplify cli to create a pre token generation lambda and override claims like shown above. Instead of querying the project ids, just hard-code them to the ids of the 2 projects you created in DDB, one for the 'project:invitee' claim, the other one for the groupsToOverride claim (this is a normal JS array).
  4. Query the projects with grapqhl from the application. You should see that it works for the group claim, but not for the 'project:invitee'.
  5. Notice that it works in both cases with amplify v5.

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line


Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

@hanna-becker hanna-becker added the pending-triage Issue is pending triage label Nov 28, 2023
@nadetastic nadetastic added Auth Related to Auth components/category GraphQL Related to GraphQL API issues labels Nov 28, 2023
@hanna-becker
Copy link
Author

Upon further investigation I can see that the groups are being passed on in the Graphql request, but the custom claim isn't. Meaning, the idToken that I see in dev tools network tab, when decoded, has a "cognito:groups" array, but is missing my "project:invitee" claim, even though both are present in my local storage's idToken.

@hanna-becker
Copy link
Author

Also, overriding the api config like mentioned in the other issue makes no difference for me:

// V6
import { Amplify } from "aws-amplify";
import { fetchAuthSession } from "aws-amplify/auth";
import config from "./amplifyconfiguration.json";

Amplify.configure(config, {
  API: {
    GraphQL: {
      headers: async () => ({
        Authorization: (
          await fetchAuthSession()
        ).tokens?.idToken?.toString() as string,
      }),
    },
  },
});

Whether I have this override or not, in both cases the idToken of the request has "cognito:groups", but not "project:invitee".

@hanna-becker
Copy link
Author

So in summary it seems like the idToken that my pre token generator lambda produces with correct values is being decoded, the non-group custom claim stripped away, and then reencoded before making the API call to AppSync somewhere in the client.

@david-mcafee david-mcafee added the V6 V6 of Amplify JS label Nov 28, 2023
@hanna-becker
Copy link
Author

New update: The override above does work to patch the "project:invitee" claim, I just got the syntax wrong. Still wondering why without this override group claims are passed on automatically, while others are stripped away from the id token?

@hanna-becker
Copy link
Author

If it is intended behavior that non-group custom claims get stripped from the id token, while group custom claims aren't, I'm ready to close this issue. Otherwise it'd be worth investigating/fixing this behvior.

@chrisbonifacio
Copy link
Member

Hi @hanna-becker 👋 thank you for raising this issue and providing us the context of your troubleshooting.

I will discuss this with the team to confirm if it is expected behavior.

Also, out of curiosity, when you said:

The override above does work to patch the "project:invitee" claim, I just got the syntax wrong

Does this mean you are unblocked and able to use custom claims again?
Lastly, what was the change you had to make for it to work?

@chrisbonifacio chrisbonifacio added pending-response and removed pending-triage Issue is pending triage labels Nov 29, 2023
@chrisbonifacio chrisbonifacio self-assigned this Nov 29, 2023
@chrisbonifacio chrisbonifacio added to-be-reproduced Used in order for Amplify to reproduce said issue investigating This issue is being investigated labels Nov 29, 2023
@hanna-becker
Copy link
Author

Hi @chrisbonifacio, thank you for getting back to me so quickly!

Yes, I'm unblocked. After reading a bit more, I believe what I'm observing is expected: Normally, the header contains the access token, which includes the Cognito groups (in my case the ones added in the pre token generator lambda). But any additional custom claims (in my case "project:invitee") are only included in the id token, so to use them we need to configure amplify to send the id token, instead of the access token when making api calls:

import { Amplify } from "aws-amplify";
import { fetchAuthSession } from "aws-amplify/auth";
import config from "./amplifyconfiguration.json";

Amplify.configure(config, {
  API: {
    GraphQL: {
      headers: async () => ({
        Authorization: (
          await fetchAuthSession()
        ).tokens?.idToken?.toString() as string,
      }),
    },
  },
});

The reason it didn't work initially is that I got confused with the syntax (the header now gets passed in a second argument to Amplify.configure, while in v5 it got passed as part of the first arg). It works now!

The whole topic of adding/overriding group and custom claims needs way better documentation, though. There is already an open ticket for better docs around custom claims, and I will add a suggestion there and close this ticket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Auth Related to Auth components/category GraphQL Related to GraphQL API issues investigating This issue is being investigated to-be-reproduced Used in order for Amplify to reproduce said issue V6 V6 of Amplify JS
Projects
None yet
Development

No branches or pull requests

4 participants