I have added some json objects to roles which are attached to users and when I log in to my SPA I am able to get that permissions array in the UI.
However I have noticed that when I then make requests to AWS AppSync the permissions array is not included and I do not know why. I need that in the API so I can verify that a user actually has permission to retrieve the data they are making API calls for.
How would I get the permissions in AppSync and does anyone know why they are missing? App Sync is integrated with Auth0 and I need to pass a valid token to be able to call the API which is one half of the problem solved, but I cannot then verify that the user actually has permission to view the data.
I think from my investigation so far the App Sync console works with either the access token or the ID token but when calling through the actual API using axios only the raw ID token works. My current plan now is to also pass the access token as a separate header and then manually validate it using the well known endpoint then once successful pull the permissions from this.
Given the Auth0 docs somewhere say that the ID token alone could be a security risk (although AppSync does allow me to set the clientID) it seems strange that AppSync only works with the ID token as the authorization header value.