Application client tokens not working with API (AWS AppSync)

Help
,
1

Hello everyone,

I’m having an issue setting up an application in Auth0 for access to an API from AWS AppSync. If I create a test token in the dashboard, it works, but not with my real users.

There are no restrictions on the AppSync side at the moment except for the issuer, which is the same in both cases. According to their documentation, they do a match on the iss attribute. I do not have client ID or TTL restrictions set up.

I am taking the access token generated by the Next.js library, and I have specified the audience, which matches the test credentials.

This works (test from Auth0 console):

{
  "sub": "xxxxxxxxxxxxxxxxxxx@clients",
  "aud": "https://APPSYNC-URL",
  "azp": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "iss": "https://AUTH0_DOMAIN.us.auth0.com/",
  "exp": 1734123712,
  "iat": 1734037312,
  "gty": "client-credentials"
}

This doesn’t (copied from accessToken attribute of getSession()):

{
  "iss": "https://AUTH0_DOMAIN.us.auth0.com/",
  "sub": "google-oauth2|xxxxxxxxxxxxx",
  "aud": [
    "https://APPSYNC-URL",
    "https://AUTH0_DOMAIN.us.auth0.com/.well-known/openid-configuration"
  ],
  "iat": 1734075727,
  "exp": 1734162127,
  "scope": "openid profile email",
  "azp": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}

I’m only getting this response in the logs, which isn’t very useful. I am testing from the AWS Console, not through code at the moment, so it cannot be a code issue.

{x-amzn-ErrorType=UnauthorizedException}

I noticed the test credentials don’t have scope, but that seems normal. The client generated tokens don’t have gty, but that also makes sense as they are for a user, not a client.

Any ideas?

4

Hi @lpinkhard

I am sorry to hear about the issue that you are facing with AWS AppSync

I believe there might be a misconfiguration when you have set up the API on Auth0.
I have researched related topic regarding the error that you are receiving and most probably it appears to be due to the gateway not allowing Access-Control-Allow-Origin as per the AWS Documentation because all the settings about the header and CORS must be set before being deployed. I found that the API gateway does not block this setting and does not display any error message. The gateway will also not change the header even if your setting process shows success. In this case, you might need to redeploy the API Gateway stage and try the following configuration for the CORS + Authorizer:

  1. Have the API Lambda code return the Access-Control-Allow-Origin header.
  2. CORS is enabled in API Gateway
  3. The Custom Authorizer is Disabled for the OPTIONS method
  4. Deploy the modifications (Steps 2 and 3) to API Gateway stage to make them active

I would recommend to review the AWS AppSync Documentation in more details as well as their Security Documentation might be caused by the fact that the AuthTTL and Issued At TTL are not matching in the token and you might need to delete them from the AppSync OIDC settings.
I would also recommend to review the Documentation we provide on Auth0 regarding AWS API.

Please let me know if you have any additional questions, if the solution provided above does not work or if you have found a solution already to your issue by leaving a reply on this post.

Kind Regards,
Nik