[[AWS AppSync|AppSync]] allows you to specify [`OPENID_CONNECT`](https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#openid-connect-authorization) as an authorization method. This allows you to use auth services such as Auth0, Google, Firebase, etc, to manage authentication to your API. ## Configuration To configure this, the following data needs to be configured against the AppSync endpoint: - `issuer` URL (required): this will be a URL to an endpoint hosted by your auth provider and will include a piece of data unique to your application, e.g. for Firebase the value is `https://securetoken.google.com/${firebaseProjectKey} - `clientId`(s) (optional): If set, AppSync will only allows tokens generated for application matching this clientId. ## Auth data flow There are 3 actors in this flow: the Client (e.g. web or mobile app), the AppSync Endpoint and the OpenID Provider. 1. Client makes authentication request to OpenID Provider, passing the `clientId` 2. OpenID verifies auth credentials and if ok, returns a one-time code to the Client 3. The Client submits the one-time code to request an ID Token from the Auth Provider. 4. The Client passes the ID Token in the `Authorization` HTTP header to the AppSync Endpoint. 5. AppSync verifies the token in the header by making a request to the Issuer URL over HTTPS to retrieve the keys it needs to verify the token's signature. If this verification completes ok, it proceeds with processing the request with its resolvers. --- ## References - [OpenID Connect Protocol: Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)