Appsync with OIDC Authorization with firebase always throwing Unauthorized for Lambda mutation

I am trying to get firebase and Appsync working together. For appsync setup I am doing:

authorizationConfig: {
  defaultAuthorization: {
    authorizationType: AuthorizationType.OIDC,
    openIdConnectConfig: {
      oidcProvider: 'https://securetoken.google.com/<with my proper project id>',
      clientId: '<with the app id from firebase>', 
      tokenExpiryFromAuth: 3600
    },
  },
  additionalAuthorizationModes: [
    {
      authorizationType: AuthorizationType.API_KEY,
      apiKeyConfig: {
        description: 'API key used by internal services needing to access AppSync',
        expires: Expiration.after(Duration.days(364)),
        name: 'internal-service-key',
      },
    },
  ],

Executing the mutation (which is directed at a Lambda) works via API Key. However, I am always getting Unauthorized when trying it via open connect. Things I do know: The oidcProvider is right I am not 100% sure on the ClientID, i assume that is the App ID from firebase console which I have used (I have also tried everything else I could find) I successfully generate an Authorization token and use it (Appsync even reports it as expired when i do use it and its expired)

I do not see any real detail of any issue in Cloudwatch besides the Unauthorized result.

I have been banging my head against the wall for quite some time trying to determine what the issue here might be. Any direction or assistance would be greatly appreciated.

Thanks

Topics

Serverless Front-End Web & Mobile Application Integration Compute Security, Identity, & Compliance

Tags

AWS AppSync AWS Lambda AWS Identity and Access Management

Language

English

Jason

asked a month ago300 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

In this case AppSync is looking for a token issuer that conforms with the OIDC specification. Which means they would need to have a /.well-known/openid-configuration endpoint.

It's not clear to me from the Firebase documentation that Firebase is actually a full OIDC provider (just because it issues an identity token in the JWT format doesn't necessarily mean it has all the OIDC endpoints)

You could potentially check by trying to navigate to https://securetoken.google.com/<project_id>/.well-known/openid-configuration with the correct project_id inserted.

If it's not OIDC compliant, but you still want to use the Identity Token issued by Firebase for authorization, you could implement Lambda Authorization and use the Firebase SDK or Third party library approaches described in the Firebase documentation.

Trevor Schiavone

answered a month ago

Relevant content

EventBridge target -> AppSync mutation -> subscription multi-tenant application event authorization
Accepted Answer
Nick
asked 3 months ago
appsync lambda mutate and publish
Accepted Answer
duke_arioch
asked 9 months ago
AppSync fails to use Lambda Authorizer for Secondary Authorization
dtornow-lc
asked 2 years ago
AppSync Unauthorized Error When Called From PreSignUp Lambda Trigger
Basile
asked a year ago
How do I notify AWS AppSync subscribers of external database updates that client-side mutations don't perform?
AWS OFFICIALUpdated a year ago
How do I use AWS AppSync to access private resources in my VPC?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot "Unauthorized" errors when running GraphQL requests in AWS AppSync?
AWS OFFICIALUpdated 2 years ago
How do I configure an AWS AppSync schema to handle nested JSON data in DynamoDB?
AWS OFFICIALUpdated 2 years ago
How to use JWT tokens for authorization with AWS KMS in NodeJs Lambdas
EXPERT
Antonio_Lagrotteria
published 5 months ago
Private, cross-account GraphQL APIs with AppSync Merged APIs
EXPERT
Antonio_Lagrotteria
published a year ago