API (GraphQL)

Configure authorization modes

AppSync supports authorization by means of API Keys, Amazon IAM credentials, Amazon Cognito User Pools, and 3rd party OIDC providers. The type of authorization being used is determined from the amplifyconfiguration.dart file that gets read when you call Amplify.configure().

API key

API Key is the simplest way to setup and prototype your application with AWS AppSync. While simple, the mechanism is easy to abuse since anyone who discovers your API Key can make requests to your public service. Production applications should authorized requests via Cognito user pool or AWS IAM. Your API Key will expire according to the expiry time that you set when provisioning AWS AppSync. You will need to extend its lifespan, or creating a new API key, if needed.

Amazon Cognito User Pools

Amazon Cognito’s user pool is most commonly used with AWS AppSync when adding authorization check on your API calls. If your application needs to interact with other AWS services besides AWS AppSync, such as Amazon S3, you will need to use AWS IAM credentials with Amazon Cognito’s identity pools. Amplify CLI can automatically configure this for you when running amplify add auth and will also automatically use the authenticated user from user pools to federate with the identity pools to provide the AWS IAM credentials in the application. See this for more information about the differences. This allows you to have both user pool credentials for AWS AppSync and AWS IAM credentials for other AWS resources. You can learn more about Amplify Auth outlined in the Accessing credentials section. For manual configuration, add the following snippet to your amplifyconfiguration.dart file, under the awsCognitoAuthPlugin:

{ ... "awsCognitoAuthPlugin": { "CognitoUserPool": { "Default": { "PoolId": "[POOL-ID]", "AppClientId": "[APP-CLIENT-ID]", "Region": "[REGION]" } } } }

{ ... "awsCognitoAuthPlugin": { "CognitoUserPool": { "Default": { "PoolId": "[POOL-ID]", "AppClientId": "[APP-CLIENT-ID]", "Region": "[REGION]" } } } }

and under the awsAPIPlugin

{ ... "awsAPIPlugin": { "<YOUR-GRAPHQLENDPOINT-NAME": { "endpointType": "GraphQL", "endpoint": "[GRAPHQL-ENDPOINT]", "region": "[REGION]", "authorizationType": "AMAZON_COGNITO_USER_POOLS", } } }

{ ... "awsAPIPlugin": { "<YOUR-GRAPHQLENDPOINT-NAME": { "endpointType": "GraphQL", "endpoint": "[GRAPHQL-ENDPOINT]", "region": "[REGION]", "authorizationType": "AMAZON_COGNITO_USER_POOLS", } } }

Add the following code to your app:

await amplify.addPlugins([AmplifyAuthCognito(), AmplifyAPI()]);

await amplify.addPlugins([AmplifyAuthCognito(), AmplifyAPI()]);

IAM

Amazon Cognito identity pools allows you to use credentials from AWS IAM in a mobile application. The Amplify CLI can automatically configure this for you when running amplify add auth. For manual configuration, add the following snippet to your amplifyconfiguration.dart file:

{ ... "awsCognitoAuthPlugin": { "CredentialsProvider": { "CognitoIdentity": { "Default": { "PoolId": "[COGNITO-IDENTITY-POOLID]", "Region": "[REGION]" } } } } }

{ ... "awsCognitoAuthPlugin": { "CredentialsProvider": { "CognitoIdentity": { "Default": { "PoolId": "[COGNITO-IDENTITY-POOLID]", "Region": "[REGION]" } } } } }

and under the awsAPIPlugin

{ ... "awsAPIPlugin": { "<YOUR-GRAPHQLENDPOINT-NAME": { "endpointType": "GraphQL", "endpoint": "[GRAPHQL-ENDPOINT]", "region": "[REGION]", "authorizationType": "AWS_IAM", } } }

{ ... "awsAPIPlugin": { "<YOUR-GRAPHQLENDPOINT-NAME": { "endpointType": "GraphQL", "endpoint": "[GRAPHQL-ENDPOINT]", "region": "[REGION]", "authorizationType": "AWS_IAM", } } }

OIDC

OIDC mode is not yet supported for Flutter. We are actively working on this.

We have created a Github Issue to track this missing feature.

Multi-Auth

This section talks about the capability of AWS AppSync to configure multiple authorization modes for a single AWS AppSync endpoint and region. Follow the AWS AppSync Multi-Auth to configure multiple authorization modes for your AWS AppSync endpoint.

You can now configure a single GraphQL API to deliver private and public data. Private data requires authenticated access using authorization mechanisms such as IAM, Cognito User Pools, and OIDC. Public data does not require authenticated access and is delivered through authorization mechanisms such as API Keys. You can also configure a single GraphQL API to deliver private data using more than one authorization type. For example, you can configure your GraphQL API to authorize some schema fields using OIDC, while other schema fields through Cognito User Pools and/or IAM.

As discussed in the above linked documentation, certain fields may be protected by different authorization types. This can lead the same query, mutation, or subscription to have different responses based on the authorization sent with the request; Therefore, it is recommended to use the different friendly_name_<AuthMode> as the apiName parameter in the Amplify.API call to reference each authorization type.

The following snippets highlight the new values in the amplifyconfiguration.dart and the client code configurations.

The friendly_name illustrated here is created from Amplify CLI prompt. There are 4 clients in this configuration that connect to the same API except that they use different AuthMode.

{ "UserAgent": "aws-amplify-cli/2.0", "Version": "1.0", "api": { "plugins": { "awsAPIPlugin": { "[FRIENDLY-NAME-API-WITH-API-KEY]": { "endpointType": "GraphQL", "endpoint": "[GRAPHQL-ENDPOINT]", "region": "[REGION]", "authorizationType": "API_KEY", "apiKey": "[API_KEY]" }, "[FRIENDLY-NAME-API-WITH-IAM": { "endpointType": "GraphQL", "endpoint": "[GRAPHQL-ENDPOINT]", "region": "[REGION]", "authorizationType": "AWS_IAM", }, "[FRIENDLY-NAME-API-WITH-USER-POOLS]": { "endpointType": "GraphQL", "endpoint": "https://xyz.appsync-api.us-west-2.amazonaws.com/graphql", "region": "[REGION]", "authorizationType": "AMAZON_COGNITO_USER_POOLS", }, "[FRIENDLY-NAME-API-WITH-OPENID-CONNECT]": { "endpointType": "GraphQL", "endpoint": "https://xyz.appsync-api.us-west-2.amazonaws.com/graphql", "region": "[REGION]", "authorizationType": "OPENID_CONNECT", } } } } }

{ "UserAgent": "aws-amplify-cli/2.0", "Version": "1.0", "api": { "plugins": { "awsAPIPlugin": { "[FRIENDLY-NAME-API-WITH-API-KEY]": { "endpointType": "GraphQL", "endpoint": "[GRAPHQL-ENDPOINT]", "region": "[REGION]", "authorizationType": "API_KEY", "apiKey": "[API_KEY]" }, "[FRIENDLY-NAME-API-WITH-IAM": { "endpointType": "GraphQL", "endpoint": "[GRAPHQL-ENDPOINT]", "region": "[REGION]", "authorizationType": "AWS_IAM", }, "[FRIENDLY-NAME-API-WITH-USER-POOLS]": { "endpointType": "GraphQL", "endpoint": "https://xyz.appsync-api.us-west-2.amazonaws.com/graphql", "region": "[REGION]", "authorizationType": "AMAZON_COGNITO_USER_POOLS", }, "[FRIENDLY-NAME-API-WITH-OPENID-CONNECT]": { "endpointType": "GraphQL", "endpoint": "https://xyz.appsync-api.us-west-2.amazonaws.com/graphql", "region": "[REGION]", "authorizationType": "OPENID_CONNECT", } } } } }

The GRAPHQL-ENDPOINT from AWS AppSync will look similar to https://xyz.appsync-api.us-west-2.amazonaws.com/graphql.

Using multiple modes of authorization at once is not currently supported by Flutter. We are actively working on this.

We have created a Github Issue to track this missing feature.

Previous Page
previous

Concepts

next

Create, update, delete data

Next Page
Discord Logo
Amplify open source, documentation and community are supported by Amazon Web Services © 2021, Amazon Web Services, Inc. and its affiliates. All rights reserved. View the site terms and privacy policy.
    Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC.