Page updated Apr 12, 2024

Use OpenID Connect as an authorization provider

Private, owner, and group authorization can be configured with an OpenID Connect (OIDC) authorization mode. Add "oidc" to the authorization rule as the provider. Use the oidcAuthorizationMode property to configure the OpenID Connect provider name, OpenID Connect provider domain, Client ID, Issued at TTL, and Auth Time TTL.

The example below highlights the supported authorization strategies with a oidc authorization provider. For owner and group-based authorization, you also will need to specify a custom identity and group claim.

amplify/data/resource.ts
1// amplify/data/resource.ts
2import { a, defineData, type ClientSchema } from '@aws-amplify/backend';
3
4const schema = a.schema({
5 Todo: a
6 .model({
7 content: a.string(),
8 })
9 .authorization([
10 a.allow.owner('oidc').identityClaim('user_id'),
11 a.allow.private('oidc'),
12 a.allow
13 .specificGroups(['testGroupName'], 'oidc')
14 .withClaimIn('user_groups'),
15 ]),
16});
17
18export type Schema = ClientSchema<typeof schema>;
19
20export const data = defineData({
21 schema,
22 authorizationModes: {
23 defaultAuthorizationMode: 'oidc',
24 oidcAuthorizationMode: {
25 oidcProviderName: 'oidc-provider-name',
26 oidcIssuerUrl: 'https://example.com',
27 clientId: 'client-id',
28 tokenExpiryFromAuthInSeconds: 300,
29 tokenExpireFromIssueInSeconds: 600,
30 },
31 },
32});

In your application, you can perform CRUD operations against the model using client.models.<model-name> by specifying the oidc auth mode.

1import { generateClient } from 'aws-amplify/data';
2import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition
3
4const client = generateClient<Schema>();
5
6const { errors, data: todos } = await client.models.Todo.list({
7 authMode: "oidc",
8});