From 4566806a3239cefadcc6ff8cd126e6a6f236d210 Mon Sep 17 00:00:00 2001 From: Rene Brandel Date: Fri, 3 Feb 2023 09:48:05 -0800 Subject: [PATCH 1/3] Updated docs for real-time multi-group authorization --- src/pages/cli-legacy/graphql-transformer/auth.mdx | 4 ---- src/pages/cli/graphql/authorization-rules.mdx | 6 +++++- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/pages/cli-legacy/graphql-transformer/auth.mdx b/src/pages/cli-legacy/graphql-transformer/auth.mdx index 3414b981ae8..180914fd279 100644 --- a/src/pages/cli-legacy/graphql-transformer/auth.mdx +++ b/src/pages/cli-legacy/graphql-transformer/auth.mdx @@ -570,10 +570,6 @@ When `@auth` is used subscriptions have a few subtle behavior differences than q Alternatively, when the model is protected using the static group auth strategy, the subscription request will only succeed if the user is in an allowed group. Further, the user will only get notifications of updates to records if they are in an allowed group. Note: You don't need to pass the user as an argument in the subscription request, since the resolver will instead check the contents of your JWT token. - -Dynamic groups have no impact to subscriptions. You will not get notified of any updates to them. - - For example suppose you have the following schema: ```graphql diff --git a/src/pages/cli/graphql/authorization-rules.mdx b/src/pages/cli/graphql/authorization-rules.mdx index 17f393c68c6..6c520616f1f 100644 --- a/src/pages/cli/graphql/authorization-rules.mdx +++ b/src/pages/cli/graphql/authorization-rules.mdx @@ -210,7 +210,11 @@ With dynamic group authorization, each record contains an attribute specifying w By default, `group` authorization leverages Amazon Cognito user pool groups but you can also use OpenID Connect with `group` authorization. See [OpenID Connect as an authorization provider](#using-oidc-authorization-provider). -**Known limitation**: Real-time subscriptions are not supported for dynamic group authorization. +**Known real-time subscription limitation for dynamic group authorization**: +1. If you authorize based on a single group per record, then subscriptions are only supported if the user is part of 5 or fewer user groups +2. If you authorize via an array of groups (communities: [String]! example above), + - subscriptions are only supported if the user is part of 20 or fewer groups + - you can only authorize 20 or fewer user groups per record ### Custom authorization rule From a91c5cfa854e9eaad607b898d671475c3d612019 Mon Sep 17 00:00:00 2001 From: Rene Brandel <4989523+renebrandel@users.noreply.github.com> Date: Fri, 3 Feb 2023 09:57:03 -0800 Subject: [PATCH 2/3] Update authorization-rules.mdx --- src/pages/cli/graphql/authorization-rules.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/cli/graphql/authorization-rules.mdx b/src/pages/cli/graphql/authorization-rules.mdx index 6c520616f1f..fa68a99afb6 100644 --- a/src/pages/cli/graphql/authorization-rules.mdx +++ b/src/pages/cli/graphql/authorization-rules.mdx @@ -210,7 +210,7 @@ With dynamic group authorization, each record contains an attribute specifying w By default, `group` authorization leverages Amazon Cognito user pool groups but you can also use OpenID Connect with `group` authorization. See [OpenID Connect as an authorization provider](#using-oidc-authorization-provider). -**Known real-time subscription limitation for dynamic group authorization**: +**Known limitations for real-time subscriptions when using dynamic group authorization**: 1. If you authorize based on a single group per record, then subscriptions are only supported if the user is part of 5 or fewer user groups 2. If you authorize via an array of groups (communities: [String]! example above), - subscriptions are only supported if the user is part of 20 or fewer groups From ed649de10df50875a17b3bd1d36f69feafb01d20 Mon Sep 17 00:00:00 2001 From: Rene Brandel Date: Fri, 3 Feb 2023 13:10:20 -0800 Subject: [PATCH 3/3] fixed typo --- src/pages/cli/graphql/authorization-rules.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/cli/graphql/authorization-rules.mdx b/src/pages/cli/graphql/authorization-rules.mdx index fa68a99afb6..00b2e76c7ee 100644 --- a/src/pages/cli/graphql/authorization-rules.mdx +++ b/src/pages/cli/graphql/authorization-rules.mdx @@ -212,7 +212,7 @@ By default, `group` authorization leverages Amazon Cognito user pool groups but **Known limitations for real-time subscriptions when using dynamic group authorization**: 1. If you authorize based on a single group per record, then subscriptions are only supported if the user is part of 5 or fewer user groups -2. If you authorize via an array of groups (communities: [String]! example above), +2. If you authorize via an array of groups (`groups: [String]` example above), - subscriptions are only supported if the user is part of 20 or fewer groups - you can only authorize 20 or fewer user groups per record