Posted On: Jul 30, 2021
Today we’re releasing a flexible and simple way to implement custom authorization logic with Amazon Lambda for Amazon AppSync GraphQL API calls.
AppSync is a managed GraphQL service that simplifies application development by letting you create a flexible API to securely access, manipulate, and combine data from one or more data sources with less network calls. With AppSync, you create GraphQL APIs that your applications interact with over the internet. While the API endpoints are publicly reachable, they never allow unauthorized access. A method of authorization — a token in the request header or signing the request itself with IAM credentials — is always required to access your AppSync API. Until recently AppSync provided these different authorization modes:
- API Keys
- OpenID Connect
- Identity and Access Management (IAM)
We’re now adding a new authorization mode based on Amazon Lambda for use cases that have specific requirements not entirely covered by the existing authorization modes, allowing you to implement custom authorization strategies to secure your GraphQL APIs.
Whenever a request reaches AppSync, the Lambda function of choice will receive an authorization token from the client and execute the desired authorization logic defined by the developer. AppSync will receive a payload from Lambda after invocation, allow or deny the API call accordingly, and ingest specific context data for authorized calls from Lambda to GraphQL resolvers in AppSync.
AppSync, now with the ability to implement custom authorization logic with Amazon Lambda, provides the flexibility required to meet all of your authorization requirements. You can mix and match Amazon Lambda-based authorization with any of the existing AppSync authorization modes in a single API, and link specific authorization providers to types, fields, or operations in the GraphQL schema.
To learn more, please visit the AppSync product page.