Core EOS and AWS AppSync
Did you know you can use Core EOS with AWS AppSync to authorize your requests? It’s a very easy setup, let’s walk through an example.
Before we dive in, just a note about the two URLs Core EOS references:
- Core EOS Platform UI: core.unitedeffects.com, where you interact with the screens and manage your platform and account
- Core EOS OIDC Provider: auth.unitedeffects.com, the issuer and URL for all OIDC and API requests. See documentation here
Step 1
Let’s get started in Core EOS (core.unitedeffects.com). Create a product to represent whatever you are using AppSync for, and then add an API service. Here we are simply adding an API service to our Demo Core product. For this service, we are going to:
- Give it the name “Client Credential Service”
- Add “client_credentials” as the Grant Type
- Scroll down to the bottom and click “Add Service”
Step 2
Collect your Client ID and Client Secret. You’ll need them for later.
Step 3
Before heading to AWS. Let’s make a copy of our Platform ID. We’ll need it later. Click settings and under Auth Group, you’ll see it. You can copy it using the icon. The image below depicts our Alias as an example, yours will be different.
Step 4
Now let’s setup a demo AppSync project. Just log into your AWS console and navigate to AppSync. From there, click to Create AWS AppSync API. If you already have an API, skip to step 6.
Step 5
Go ahead and select a sample project to get an API working asap.
Step 6
To configure this API to use Core EOS, you just need to make the following changes. First, choose “OpenID Connect” as your Default Authorization Mode.
And second, enter your Core EOS issuer URL into the “OpenID Connect provider domain (Issuer URL)” input field. Your issuer URL is the OIDC url + your Platform ID from step 3. If you have a custom domain for the OIDC url, use that instead. Also please note that in most circumstances, your Platform Alias is interchangeable with your Platform ID; however, AWS will require the ID and not the alias for their implementation of OIDC validation.
auth.unitedeffects.com/YOUR_PLATFORM_ID
The other fields are optional to provide additional validation; however, there is a known AWS bug with the Client ID field that will cause a validation error (see bug here). It is not required for this implementation to work and we recommend omitting it until AWS resolves the issue.
Step 7
Now you just need a token! In this example, we are generating a client_credential token; however, other flows such as code_authorization will work just as well. The only requirement is that you end up with a JWT token to provide to AppSync. In Core EOS (and most OIDC implementations), to obtain a JWT as opposed to an Opaque token, you must provide a “resource” parameter that will be used as the “audience” claim of the token. An audience claim tells an underlying system that receives the token whether or not they are the intended audience/recipient. For our example, we will simply use the Core EOS issuer url with the platform alias. Use the curl command below and insert the Client ID and Client Secret from step 2.
curl --user “CLIENT_ID:CLIENT_SECRET” -X POST “https://auth.unitedeffects.com/YOUR-ALIAS/token" -H “Content-Type: application/x-www-form-urlencoded” -d “grant_type=client_credentials&resource=https://auth.unitedeffects.com/YOUR-ALIAS"
This will return your token object which has three properties:
- access_token: your JWT token
- expires_in: the seconds until your token expires
- token_type: in this case “bearer”
Copy the access_token value.
Step 8
Navigate to Queries in the AppSync UI and paste the token into the “Authorization Token” field. Click the button to run your request and you’ll see it succeed!
And that’s it! You have now integrated your Core EOS Platform to AppSync and can validate requests. If you haven’t already, sign up today for your free access to Core EOS at:
Follow us on Twitter, LinkedIn and Medium and if you need help with anything related to Core EOS, do not hesitate to reach out to help@unitedeffects.com.
