Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(Core): support identityClaim "sub" #794

Merged
merged 2 commits into from
Oct 5, 2020
Merged

fix(Core): support identityClaim "sub" #794

merged 2 commits into from
Oct 5, 2020

Conversation

wooj2
Copy link
Contributor

@wooj2 wooj2 commented Oct 1, 2020

In attempts to resolve:
#485

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@wooj2 wooj2 requested a review from lawmicha October 1, 2020 22:07
Base automatically changed from main-691 to main October 1, 2020 22:17
lawmicha
lawmicha suggested changes Oct 2, 2020
View reviewed changes
AmplifyPlugins/Core/AWSPluginsCore/Model/Decorator/AuthRuleDecorator.swift Outdated
Comment on lines 83 to 87
if identityClaim == "username" {
return authUser.username
} else if identityClaim == "sub" {
return authUser.userId
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think these might be "cognito:username" https://github.com/aws-amplify/amplify-cli/blob/master/packages/amplify-codegen-appsync-model-plugin/src/__tests__/visitors/appsync-swift-visitor.test.ts#L1012

and "sub" looks correct: https://github.com/aws-amplify/amplify-cli/blob/master/packages/amplify-codegen-appsync-model-plugin/src/__tests__/visitors/appsync-swift-visitor.test.ts#L1120

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This differs from the current Android logic, here. My understanding is that Android gets the username from the decrypted authToken instead of from getUsername, which is necessary to support email/phone sign in.

@TrekSoft can you confirm?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested w/ schema of:

type ScenarioATest6Post @model @auth(rules: [{ allow: owner, identityClaim: "username" }]) {
  id: ID!
  title: String!
}

and

type ScenarioATest6Post @model @auth(rules: [{ allow: owner}]) {
  id: ID!
  title: String!
}

in both cases, in our model generated schema, we see:

    
    model.authRules = [
      rule(allow: .owner, ownerField: "owner", identityClaim: "cognito:username", operations: [.create, .update, .delete, .read])
    ]

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change looks good as incremental improvement as it would support sub and username (iff user uses username for sign in). Considering Android's current implementation, we should probably keep #485 open to address the username as email and phone sign in to do a similar JWT parse to extract the username out

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i wonder, if the auth plugin's get username behaves differently on Android and iOS such that on iOS we can rely on getUsername

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shouldn't rely on getUsername - Cognito is comparing what is sent to what is in the token and it simplifies the code as well to just do it like Android is where we simply pull the right value from the token. With custom identity claims, we can pull whatever other value is specified.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@TrekSoft & @richardmcclellan -- thanks for calling this out.. Looked into implementing the parsing of the JWT token, and it's a bit more work than expecting. For this reason, we are going to push this code in and view it as an incremental improvement, while keeping #485 open to ultimately fix it in the manner you have suggested. Thanks again for extra eyes on this.

@wooj2 wooj2 requested a review from lawmicha October 2, 2020 22:01
@lawmicha lawmicha mentioned this pull request Oct 5, 2020
Closed
lawmicha
lawmicha approved these changes Oct 5, 2020
View reviewed changes
Copy link
Contributor

@lawmicha lawmicha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

approved if u want to merge this in as incremental support, but should consider Android's implementation differences and their requirement for parsing the JWT token

@wooj2 wooj2 merged commit e052b59 into main Oct 5, 2020
@wooj2 wooj2 deleted the main-691-485 branch October 5, 2020 21:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TrekSoft TrekSoft TrekSoft left review comments

@lawmicha lawmicha lawmicha approved these changes

@richardmcclellan richardmcclellan richardmcclellan left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@wooj2 @richardmcclellan @lawmicha @TrekSoft