Using Auth0 as an Identity Provider for GraphQL APIs with AWS AppSync

This article was written by Raghavarao Sodabathina and Jana Gnanachandran, Enterprise Solutions Architects, AWS

September 14, 2021: Amazon Elasticsearch Service has been renamed to Amazon OpenSearch Service. See details.

AWS AppSync is a managed serverless GraphQL service that simplifies application development by letting you create a flexible API to securely access, manipulate, and combine data from one or more data sources with a single network call. With AppSync, developers can build scalable applications on a range of data sources, including Amazon DynamoDB NoSQL tables, Amazon Aurora Serverless relational databases, Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) clusters, HTTP/REST APIs, and serverless functions powered by AWS Lambda.

There are four ways you can authorize applications to interact with your GraphQL API in AppSync. You define which authorization type to use by specifying one of the following modes in your AWS AppSync API:

• API_KEY, to authorize clients based on API keys.
• AWS_IAM, to authorize clients based on AWS Identity and Access Management (IAM).
• OPENID_CONNECT, to authorize clients based on OpenID Connect identity providers such as Okta or Auth0
• AMAZON_COGNITO_USER_POOLS, to authorize clients based on Amazon Cognito User Pools.

You can also mix and match multiple authorization modes in a single API. For more information on AppSync’s built-in security and authorization features, see our GraphQL security primer blog post.

In this article we walk you through the integration between Auth0, an AWS Competency Partner and popular Identity-as-a-Service (IDaaS) solution, and AppSync using OpenID Connect (OIDC) to authorize GraphQL API calls. The following diagram depicts a sample architecture of a generic integrated solution between Auth0 and AppSync over OpenID Connect.

In the following sections you learn how to configure both Auth0 and AppSync then test the integration with a secure GraphQL API backed by DynamoDB in minutes and in 16 easy steps.

Auth0 Setup

1. Sign up for an Auth0 account

2. Select a tenant domain. In this example, we define the tenant name as oidc. The OpenID Connect provider domain (Issuer URL) is configured as follows:

3. If you had already signed up with Auth0, log into your Auth0 account. Your tenant name can be found at the top-right corner of the Auth0 portal.

4. Create a new Auth0 API in your account by selecting APIs on left menu and clicking the Create API button:

5. Provide a Name and an Identifier for your API and leave the Signing Algorithm as RS256. Auth0 recommends using a URL. Click on the Create button to create your new API.

AWS AppSync Setup

1. Log in to the AppSync console and click the Create API button.

2. Select the Create with wizard option and click on the Start button.

3. For this example, we create a main Customer type comprised of customer id, name, city, state, and country. In the Configure model fields section add the required fields of your API and use the default options in the Configure model table section. Click the Create button to proceed.

4. Next define a name for your API and click the Create button to start the GraphQL API as well as the DynamoDB data source creation process.

5. Go to Settings on the left menu and, under Default authorization mode, select OpenID Connect from the drop-down.

6. Under Configuration, enter your Auth0 domain name in the OpenID Connect provider domain (URL) field then click on the Save button.

Your AppSync API has been created and it’s ready for testing. You have completed the OpenID Connect configuration steps to set up Auth0 as an identity provider in AppSync.

Testing

1. To test your GraphQL API authentication, log into your Auth0 account, click on APIs on the left menu and select the API you would like to get an access token for. Navigate to the Test tab, and click on the copy icon under Response.

2. In the AppSync console, select Queries on the left menu and paste the access token that you got from the Auth0 dashboard in the text box next to the orange Execute Query button.

3. We add a new customer record with a GraphQL mutation. In this example, we add two customer records, customer1 from Boston, MA, and customer2 from Dallas, TX as shown below. You can add the customer details in the Query Variables section. Next, click on the orange execute query button, and select the createCustomer mutation as highlighted below.

4. The customer records can be fetched using GraphQL queries. Select listCustomers from the execute query button drop-down to fetch the customer records created in the previous step.

5. To confirm the customer records were created in the DynamoDB table, go to the Data Sources section on the left menu, and click on the DynamoDB table name to open the DynamoDB console. You should see the two customer records created through AppSync and authorized by Auth0.

Now your AppSync API is ready and you can connect to it from a client application using the AppSync SDK, the Amplify clients, or any other GraphQL client. You can also configure additional authorization business logic directly in AppSync resolvers as well as capture user information directly from the JWT tokens by leveraging the $context.identity object.

Conclusion

In this blog post, we have demonstrated how to set up Auth0 as an identity provider with AppSync. We have also demonstrated how quickly and easily you can create APIs by using AppSync with DynamoDB as an AppSync data source. With this solution, you now have a fully managed, highly available GraphQL API that uses Auth0 as the custom identity provider for your users. You can also get a jump-start by checking the AWS AppSync Developer Guide, which provides guidance on how to build applications using GraphQL with robust database, search, and compute capabilities based on AWS AppSync.

Raghavarao Sodabathina is an Enterprise Solutions Architect at AWS, focusing on Data Analytics, AI/ML and Serverless platforms. He engages with customers to create innovative solutions that address customer business problems and accelerate the adoption of AWS services. In his spare time, Raghavarao enjoys spending time with his family, reading books, and watching movies. Raghavarao holds a Masters of Engineering from the Indian Institute of Science, Bangalore.

Jana Gnanachandran is an Enterprise Solutions Architect at AWS, focusing on Data Analytics, AI/ML and Serverless platforms. He helps AWS customers across numerous industries to design and build highly scalable data-driven analytical solutions and accelerate their cloud adoption. In his spare time, he enjoys playing tennis, 3D printing and photography.