https://serverless-stack.com/ logo
#help
Title
# help
g

Gabriel

05/30/2022, 12:58 PM
Hi, I have tried to upgrade my auth to v1.0 (from 0.69) from:
Copy code
const api = new sst.Api(this, "Api", {
			defaultAuthorizer: new apigAuthorizers.HttpUserPoolAuthorizer("Authorizer", userPool, {
				userPoolClients: [userPoolClient],
			}),
			defaultAuthorizationType: sst.ApiAuthorizationType.JWT,
to:
Copy code
new Api(stack, "Api", {
  authorizers: {
    Authorizer: {
      type: "user_pool",
      userPool: {
        id: userPool.userPoolId,
        clientIds: [userPoolClient.userPoolClientId],
      }
    },
  },
  defaults: {
    authorizer: "Authorizer",
  },
and now im getting an error Bearer scope="" error="invalid_token" error_description="the token does not have a valid audience" the thing is that the token does have an aud. (also the old example worked fine) Any clues on how to solve this?
If I use this instead then its working fine.
Copy code
new Api(stack, "Api", {
  authorizers: {
    MyAuthorizer: {
      type: "jwt",
      jwt: {
        issuer: "<https://myorg.us.auth0.com>",
        audience: ["UsGRQJJz5sDfPQDs6bhQ9Oc3hNISuVif"],
      }
    },
  },
  defaults: {
    authorizer: "MyAuthorizer",
  },
@thdxr do you think its a bug? If I import user pool and reference them in the authorizer, the authorizer creates a new app client and then the client id (audience) is new in authorizer. (expected outcome to use the passed in client id) See code below:
Copy code
const userPool = cognito.UserPool.fromUserPoolId(
            this,
            "IUserPool",
            "us-east-1_abcd"
        );


const userPoolClient = cognito.UserPoolClient.fromUserPoolClientId(
            this,
            "IUserPoolClient",
            "123456asd"
        );

new Api(stack, "Api", {
  authorizers: {
    Authorizer: {
      type: "user_pool",
      userPool: {
        id: userPool.userPoolId,
        clientIds: [userPoolClient.userPoolClientId],
      }
    },
  },
  defaults: {
    authorizer: "Authorizer",
  },
t

thdxr

05/30/2022, 1:42 PM
Will let @Frank chime in when he has a moment
f

Frank

05/31/2022, 6:07 AM
@Gabriel can you give this a try (using the ids directly):
Copy code
new Api(stack, "Api", {
  authorizers: {
    Authorizer: {
      type: "user_pool",
      userPool: {
        id: "us-east-1_abcd",
        clientIds: ["123456asd"],
      }
    },
  },
  defaults: {
    authorizer: "Authorizer",
  },
and see if you get the same behavior?
g

Gabriel

05/31/2022, 8:51 AM
@Frank so I tried adding the id and clientIds as strings. and ran remove / deploy stack. So what it seems to do is to create a new app client in the userPool (i.e. "us-east-1_abcd") And then assigns the newly created app client id as audience in the authorizer. While expected outcome here is that it should use the client id from the clientIds ?
f

Frank

05/31/2022, 2:19 PM
@Gabriel can you run
sst build
> go into
.sst/cdk
> open up the template file for the stack > search for
AWS::Cognito::UserPoolClient
If it’s there, CloudFormation will create a new client instead reusing the existing one.
Let me know what u find.
g

Gabriel

06/01/2022, 10:36 AM
ok so I found my template in .build>.cdk.out>stack-name.template.json and it has this:
Copy code
"ApiApiApiAuthorizermyAuthorizerUserPoolUserPoolAuthorizerClientEF12345": {
    "Type": "AWS::Cognito::UserPoolClient",
    "Properties": {
     "UserPoolId": "us-east-1_abcd",
     "AllowedOAuthFlows": [
      "implicit",
      "code"
     ],
     "AllowedOAuthFlowsUserPoolClient": true,
     "AllowedOAuthScopes": [
      "profile",
      "phone",
      "email",
      "openid",
     ],
     "CallbackURLs": [
      "<https://example.com>"
     ],
     "SupportedIdentityProviders": [
      "COGNITO"
     ]
    },
    "Metadata": {
     "aws:cdk:path": "dev-mystack-sst-yarn-app-dev-stack/Api/Api-Api-Authorizer-myAuthorizer-UserPool/UserPoolAuthorizerClient/Resource"
    }
   },
@Frank sooo this is a silly thing. it turns out I had it as "clientsIds" instead of "clientIds" and then it just silently failed in js.
Copy code
Authorizer: {
        type: "user_pool",
        userPool: {
          id: userPool.userPoolId,
          **clientsIds**: [userPoolClient.userPoolClientId],
        },
      },
Thanks for the pointing to template, so I could try to dig deeper. Also I found that you can still do it the "old" way (just not an example in docs or migrate guide)
Copy code
Authorizer: {
  type: "user_pool",
  cdk: { authorizer: new apigAuthorizers.HttpUserPoolAuthorizer("Authorizer", userPool, { userPoolClients: [userPoolClient],
}),
3 Views