Extracting Identity When Using Multiple Authentication Methods in AppSync

Jul 11, 2019 | AWS AppSync VTL PipelineResolvers Cognito

Back in May, Amazon announced support for multiple authentication methods in AppSync. This was a pretty huge deal because it really opens up a variety of ways to access an AppSync API using an API Key for anonymous user and Cognito when you need users to to authenticate first.

I have found this support led me almost immediately to the challenge of supporting identity information from multiple methods in your AppSync Resolvers. You can get some metadata about the authenticated user in $ctx.identity, but when using API_KEY in particular, $ctx.identity field is not populated at all.

I resolved this by adding the following in my Before template for all Pipeline Resolvers.

#if( !$util.isNullOrEmpty($ctx.identity.sub) )
  $util.qr($ctx.stash.put("AWS_CURRENT_USER", "${ctx.identity.sub}"))
  $util.qr($ctx.stash.put("AWS_AUTH_TYPE", "AMAZON_COGNITO_USER_POOLS"))
#else
  #foreach($header in $ctx.request.headers.entrySet())
    #if($header.key == "x-api-key")
      $util.qr($ctx.stash.put("AWS_API_KEY", $header.value))
    #end
  #end  
  $util.qr($ctx.stash.put("AWS_AUTH_TYPE", "API_KEY"))
#end

{}

This allows you to do things like the following in Function Resolvers.


#if($ctx.stash.AWS_AUTH_TYPE == "AMAZON_COGNITO_USER_POOLS")
  ...do stuff with $ctx.stash.AWS_CURRENT_USER here...
#end 

#if($ctx.stash.AWS_AUTH_TYPE == "API_KEY")
  ...do stuff with $ctx.stash.AWS_AUTH_TYPE here...
#end