AWS Amplify (Events API): Unable to pass authToken with lambda authMode

[svatkowski]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Not applicable

Amplify Version

v6

Amplify Categories

api

Backend

CDK

Environment information

# Put output below this line
  System:
    OS: macOS 14.4
    CPU: (12) arm64 Apple M3 Pro
    Memory: 2.22 GB / 36.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 22.11.0 - /usr/local/bin/node
    Yarn: 1.22.22 - /usr/local/bin/yarn
    npm: 10.9.0 - /usr/local/bin/npm
  Browsers:
    Chrome: 131.0.6778.205
    Safari: 17.4
  npmPackages:
    aws-amplify: ^6.12.0 => 6.12.0 
    amazon-chime-sdk-js: ^3.25.0 => 3.25.0 

Describe the bug

When using the AWS Amplify Events API (events.connect) with a Supabase-provided token via the authToken parameter, the WebSocket connection fails with the error:

Uncaught (in promise) Error: No auth token specified.

This happens even though the authToken parameter is populated with a valid token retrieved from Supabase's authentication system.

Im also using a JWT Token from supabase

(Note that im using Events API and not GraphQL API)

Expected behavior

The authToken parameter should allow the Amplify SDK to successfully pass the provided Supabase token to the AppSync Events API during the WebSocket connection. This would enable the WebSocket connection to authenticate and function as expected.

when using the AppSync Pub/Sub Editor, the same token works, and the WebSocket connection is established without any issues. However, when passing the token via the Amplify client using the authToken parameter in events.connect, the WebSocket connection fails with the error:

Uncaught (in promise) Error: No auth token specified

Reproduction steps

Setup your AppSync Events API with lambda function, on the client side setup aws-amplify, paste the code i've shown and it should throw this error

Code Snippet

// Put your code below this line.
Amplify.configure({
    API: {
        Events: {
            endpoint: "https://example.appsync-api.us-east-1.amazonaws.com/event",
            region: "us-east-1",
            defaultAuthMode: "lambda",
        },
    },
});

const channel = await events.connect('/test/channel', {
      authToken: "TOKEN"
});

channel.subscribe({
     next: (data) => {
     console.log('received', data);
},
     error: (err) => console.error('error', err),
});

Log output

// Put your logs below this line
Uncaught (in promise) Error: No auth token specified.

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[svatkowski]

For information, 2 days ago i also tested solution that @chrisbonifacio provided, so hydrate the token via the tokenProvider inside the Amplify.configure, but sadly it still throw the same error, using a supabase token is an issue?

const myTokenProvider: TokenProvider = {
    async getTokens({ forceRefresh } = {}) {

        if (forceRefresh) {

        }
        
        // You can add logic for refreshing tokens if needed
        const { data: { session } } = await supabase.auth.getSession();
        const accessToken = session?.access_token; // Access the Supabase token

        // If token is not available, you might want to handle this case
        if (!accessToken) {
            throw new Error("Access token not available");
        }

        // Return the token in a format that AWS expects
        return {
            accessToken: decodeJWT(accessToken), // Decoding if necessary
            idToken: decodeJWT(accessToken), // You can use the same access token for idToken if they are the same
        };
    },
};

Amplify.configure(
    {
        API: {
            Events: {
                endpoint: 'https://example.appsync-api.us-east-1.amazonaws.com/event',
                region: 'us-east-1',
                defaultAuthMode: 'lambda',
            },
        },
    },
    {
        Auth: {
            tokenProvider: myTokenProvider,
        }
    }
);

Also for more context & debug i've tested via curl, so getting a token manually pass it to my curl command and it return successfully:

curl --location "https://example.appsync-api.us-east-1.amazonaws.com/event" \
--header 'Content-Type: application/json' \
--header "Authorization:TOKEN" \
--data '{
    "channel":"/default",
    "events":["\"Breaking news!\""]
}'

Output: {"failed":[],"successful":[{"identifier":"f5db8805-467b-49cc-9595...","index":0}]}%

[svatkowski]

So after hours of debug i figured out some things that resolve this issue but for some reason i ignore, so for context since i use Supabase authentication, i don't want to have api keys, IAM or others things for authorization but a lambda in my case, so i've created a lambda that use the supabase library to check and it works well, the main issue was when trying to pass the token via the client side using aws-amplify i encountered some issue with the following error : "No auth token specified", so i've tested this code by modifying the defaultAuthMode from lambda to oidc, and for some reason it works without throwing any errors, but on my aws appsync i not even configured OICD so how is it possible that changing from lambda to oicd resolve this issue?

I've tried sending events, and my client receive it, so i maybe misunderstood how does OICD works maybe.

The code i've used :

Amplify.configure(
    {
        API: {
            Events: {
                endpoint: 'https://example.appsync-api.us-east-1.amazonaws.com/event',
                region: 'us-east-1',
                defaultAuthMode: 'oidc', // Switching from lambda to oidc even if i not configured OIDC on my app sync settings and only have a lambda
            },
        },
    },
    {
        Auth: {
            tokenProvider: myTokenProvider,
        }
    }
);

[chrisbonifacio]

Hi @svatkowski 👋 thanks for updating us on the current status of your troubleshooting this issue. Your mention of using oidc as the authMode aligns with the workaround provided on another related issue.

I'm not sure why using oidc works in this scenario and not lambda. My assumption is it might have something to do with the way the Amplify library structures the Authorization header with the JWT and Bearer prefix and the way the AppSync service processes said header. Here's a page from the AppSync docs that describes what I'm referring to:

Can you try following the guidance from this doc and see if it helps resolve the issue? It sounds like you might've just needed to include a random prefix/suffix and remove it in the lambda handler for the lambda authMode to work.