Multiple-authentication methods with AWS AppSync

Many AWS AppSync customers will have noticed a change in the AWS Console during the last 24 hours with the release of support for multiple authentication methods. It's probably the single most requested feature for AppSync. While we're still waiting for the offical blog announcement I had a chance to explore it earlier today by adding API Key authentication to an existing application that previously only supported Cognito User Pools.

Prior to today AWS AppSync supported four authentication methods:

  • API Key
  • Cognito User Pools
  • OpenID Connect

Each of these methods had advantages and disadvantages. The problem was you needed to pick one and suffer through the (sometimes painful) disadvantages.

For example: I would routinely use Cognito User Pools because it was a good fit for any site/application with registered users but it took a lot of hacking to get unauthenticated users working. Even then each request was still authenticated but I was using a shared anonymous user account for everyone.

That changes with the release of mulitple authentication methods.

You start by setting the default authorization mode which will be used by AppSync.

AWS AppSync default authorization mode screenshot

Then you add additional authorization providers. Below I've added API keys.

Screenshot of additional authorization providers for AWS AppSync

Once you've added the additional authorization providers you need to markup the GraphQL schema so AppSync know which types and fields can be accessed using those authorization methods.

Marking up the GraphQL schema in AWS AppSync for additional authorization providers

To figure this out I used the RFC over at the AppSync Community Github. With minimal fuss I was able to add API key support to a few minutes.

Once the official release announcement is made and the documentation has been updated I'll do a full video over on YouTube (subscribe there or join my mailing list to be notified). Until then I'll simply say that the multiple authentication methods solution solves a lot of problems that made it difficult to use AppSync with anonymous user (i.e. unauthentication web traffic) and backend services that needed to trigger subscriptions.