Fixes to queries for identity provider tutorials

surrealdb · Oct 8, 2024 · 1dfc54c · 1dfc54c
1 parent 7a6c494
commit 1dfc54c
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 29 deletions.
diff --git a/src/content/doc-surrealdb/tutorials/integrate-auth0-as-authentication-provider.mdx b/src/content/doc-surrealdb/tutorials/integrate-auth0-as-authentication-provider.mdx
@@ -246,24 +246,27 @@ USE NS test DB test;
 -- Define the public key to verify tokens issued by Auth0 for our application.
 -- The name of the token should match the custom claim that we configured before.
 DEFINE ACCESS auth0 ON DATABASE TYPE RECORD
-  -- We check the token claims and map the email address to a record user.
-  AUTHENTICATE {
-    -- The JWT specification allows the audience claim to be an array or a string.
-    -- In this example, we ensure that it is provided as an array by Auth0.
-    type::is::array($token.aud) AND
-    -- The audience claim must contain the audience of you application.
-    -- This is the value that you defined when creating the API in Auth0.
-    IF $token.aud CONTAINS "<YOUR_AUTH0_AUDIENCE_VALUE>"
-    -- The audience claim must contain your Auth0 user information endpoint.
-    -- It contains the domain generated when when creating the application in Auth0.
-    AND $token.aud CONTAINS "https://<YOUR_AUTH0_DOMAIN>/userinfo"
-    -- The email address in the token must be verified as belonging to the user.
-    AND $token['https://surrealdb.com/email_verified'] = true {
-      -- We return the only user that matches the email address claim found in the token.
-      RETURN SELECT * FROM user WHERE email = $token['https://surrealdb.com/email']
+    -- We verify the token using the public keys hosted by Auth0.
+    WITH JWT URL "https://<YOUR_AUTH0_DOMAIN>/.well-known/jwks.json"
+    -- We check the token claims and map the email address to a record user.
+    AUTHENTICATE {
+        IF (
+            -- The JWT specification allows the audience claim to be an array or a string.
+            -- In this example, we ensure that it is provided as an array by Auth0.
+            $token.aud.is_array()
+            -- The audience claim must contain the audience of you application.
+            -- This is the value that you defined when creating the API in Auth0.
+            AND $token.aud CONTAINS "<YOUR_AUTH0_AUDIENCE_VALUE>"
+            -- The audience claim must contain your Auth0 user information endpoint.
+            -- It contains the domain generated when when creating the application in Auth0.
+            AND $token.aud CONTAINS "https://<YOUR_AUTH0_DOMAIN>/userinfo"
+            -- The email address in the token must be verified as belonging to the user.
+            AND $token['https://surrealdb.com/email_verified'] = true
+        ) {
+            -- We return the only user that matches the email address claim found in the token.
+            RETURN SELECT * FROM user WHERE email = $token['https://surrealdb.com/email']
+        }
     }
-  }
-  WITH JWT URL "https://<YOUR_AUTH0_DOMAIN>/.well-known/jwks.json"
 ;
 ```
 

diff --git a/...nt/doc-surrealdb/tutorials/integrate-aws-cognito-as-authentication-provider.mdx b/...nt/doc-surrealdb/tutorials/integrate-aws-cognito-as-authentication-provider.mdx
@@ -254,19 +254,22 @@ USE NS test DB test;
 -- Define the public key to verify tokens issued by your AWS Cognito user pool.
 -- The name of the access method should match the custom claim that we configured before.
 DEFINE ACCESS cognito ON DATABASE TYPE RECORD
-  -- We check the token claims and map the email address to a record user.
-  AUTHENTICATE {
-    -- The issuer claim must match the URL of your AWS Cognito user pool.
-    IF $token.iss = "https://cognito-idp.<YOUR_AWS_REGION>.amazonaws.com/<YOUR_COGNITO_USER_POOL_ID>"
-    -- The audience claim must match you AWS Cognito Client ID.
-    AND $token.aud = "<YOUR_COGNITO_CLIENT_ID>"
-    -- The email address in the token must be verified as belonging to the user.
-    AND $token.email_verified = true {
-      -- We return the only user that matches the email address claim found in the token.
-      RETURN SELECT * FROM user WHERE email = $token.email
-    }
+    -- We verify the token using the public keys hosted by AWS.
+    WITH JWT URL "https://cognito-idp.<YOUR_AWS_REGION>.amazonaws.com/<YOUR_COGNITO_USER_POOL_ID>/.well-known/jwks.json"
+    -- We check the token claims and map the email address to a record user.
+    AUTHENTICATE {
+        IF (
+            -- The issuer claim must match the URL of your AWS Cognito user pool.
+            $token.iss = "https://cognito-idp.<YOUR_AWS_REGION>.amazonaws.com/<YOUR_COGNITO_USER_POOL_ID>"
+            -- The audience claim must match you AWS Cognito Client ID.
+            AND $token.aud = "<YOUR_COGNITO_CLIENT_ID>"
+            -- The email address in the token must be verified as belonging to the user.
+            AND $token.email_verified = true
+        ) {
+            -- We return the only user that matches the email address claim found in the token.
+            RETURN SELECT * FROM user WHERE email = $token.email
+        }
   }
-  WITH JWT URL "https://cognito-idp.<YOUR_AWS_REGION>.amazonaws.com/<YOUR_COGNITO_USER_POOL_ID>/.well-known/jwks.json"
 ;
 ```