Graphql subscription does not work with default identityClaim if allow: owner is set

[michaelrios]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Next.js

Amplify APIs

GraphQL API

Amplify Categories

api

Environment information

# Put output below this line

Describe the bug

This is kind of how it is supposed to work, so you may not consider it a bug, but this is at the very least something that should be added to documentation.

When subscribed to an appsync mutation, the subscription is only listening to the return object when the create event occurs. This is normally not a problem UNLESS the subscribed object is using allow: owner.

When the create event happens the API.graphql function call returns owner: {username}, and not owner: {sub::username} as is the standard identityClaim format. So when the subscription is listening for mutations, it only sees owner: {username}, which is not the actual value used to verify the subscribed user.

If I override the identityClaim to be username, then the subscription works since the creation only returns username, and not the full default identity claim sub::username

Expected behavior

Given the following graphql.schema

type Message @model @auth(rules: [
  { allow: owner, ownerField: "owners", operations: [read]}
]) {
  id: ID!
  message: String!
  owners: [String!]!
}

The onCreateMessage subscription should work, but it will not unless the identityClaim is overridden to be just username, and not the default sub::username.

Reproduction steps

1. use the above model in a graphql.schema
2. amplify push
3. login as the user
4. subscribe to onCreateMessage
5. create a message using createMessage, and set the owners field
6. You will not see the message
7. if you override the identityClaim as I mentioned above, resubscribe, and create a new message only using the username in the owners, then you will then see the message

Code Snippet

No response

Log output

No response

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[michaelrios]

Without changing the identityClaim I can listMessges no problem, the issue is only while subscribed to the changes.

[chrisbonifacio]

Hi @michaelrios thanks for raising this issue. In one of the reproduction steps, when performing the createMessage mutation it says to "set the owners" field. What value are you passing for the owners list? Is it the user's username or sub::username?

[michaelrios]

to recreate the issue, I am setting the owners field to sub::username
Thanks for looking into this 🙏🏼

[cwomack]

Hello, @michaelrios 👋. With the release of the latest major version of Amplify (aws-amplify@>6), we highly recommend updating to the most recent version. Please refer to our release announcement, migration guide, and documentation for more information.

Can you please try to upgrade to v6 and see if this issue persists? Thank you!

[cwomack]

Closing this issue as we have not heard back from you. If you are still experiencing this, please feel free to reply back and provide any information previously requested and we'd be happy to re-open the issue.

Thank you!