From 1dfc54c779ef1b53bf249570467162325e7accb8 Mon Sep 17 00:00:00 2001
From: Gerard Guillemas Martos <gerard.guillemas@surrealdb.com>
Date: Tue, 8 Oct 2024 16:58:54 +0200
Subject: [PATCH 1/3] Fixes to queries for identity provider tutorials

---
 ...grate-auth0-as-authentication-provider.mdx | 37 ++++++++++---------
 ...aws-cognito-as-authentication-provider.mdx | 27 ++++++++------
 2 files changed, 35 insertions(+), 29 deletions(-)

diff --git a/src/content/doc-surrealdb/tutorials/integrate-auth0-as-authentication-provider.mdx b/src/content/doc-surrealdb/tutorials/integrate-auth0-as-authentication-provider.mdx
index 0f5a833c2..6aa1446f1 100644
--- a/src/content/doc-surrealdb/tutorials/integrate-auth0-as-authentication-provider.mdx
+++ b/src/content/doc-surrealdb/tutorials/integrate-auth0-as-authentication-provider.mdx
@@ -246,24 +246,27 @@ USE NS test DB test;
 -- Define the public key to verify tokens issued by Auth0 for our application.
 -- The name of the token should match the custom claim that we configured before.
 DEFINE ACCESS auth0 ON DATABASE TYPE RECORD
-  -- We check the token claims and map the email address to a record user.
-  AUTHENTICATE {
-    -- The JWT specification allows the audience claim to be an array or a string.
-    -- In this example, we ensure that it is provided as an array by Auth0.
-    type::is::array($token.aud) AND
-    -- The audience claim must contain the audience of you application.
-    -- This is the value that you defined when creating the API in Auth0.
-    IF $token.aud CONTAINS "<YOUR_AUTH0_AUDIENCE_VALUE>"
-    -- The audience claim must contain your Auth0 user information endpoint.
-    -- It contains the domain generated when when creating the application in Auth0.
-    AND $token.aud CONTAINS "https://<YOUR_AUTH0_DOMAIN>/userinfo"
-    -- The email address in the token must be verified as belonging to the user.
-    AND $token['https://surrealdb.com/email_verified'] = true {
-      -- We return the only user that matches the email address claim found in the token.
-      RETURN SELECT * FROM user WHERE email = $token['https://surrealdb.com/email']
+    -- We verify the token using the public keys hosted by Auth0.
+    WITH JWT URL "https://<YOUR_AUTH0_DOMAIN>/.well-known/jwks.json"
+    -- We check the token claims and map the email address to a record user.
+    AUTHENTICATE {
+        IF (
+            -- The JWT specification allows the audience claim to be an array or a string.
+            -- In this example, we ensure that it is provided as an array by Auth0.
+            $token.aud.is_array()
+            -- The audience claim must contain the audience of you application.
+            -- This is the value that you defined when creating the API in Auth0.
+            AND $token.aud CONTAINS "<YOUR_AUTH0_AUDIENCE_VALUE>"
+            -- The audience claim must contain your Auth0 user information endpoint.
+            -- It contains the domain generated when when creating the application in Auth0.
+            AND $token.aud CONTAINS "https://<YOUR_AUTH0_DOMAIN>/userinfo"
+            -- The email address in the token must be verified as belonging to the user.
+            AND $token['https://surrealdb.com/email_verified'] = true
+        ) {
+            -- We return the only user that matches the email address claim found in the token.
+            RETURN SELECT * FROM user WHERE email = $token['https://surrealdb.com/email']
+        }
     }
-  }
-  WITH JWT URL "https://<YOUR_AUTH0_DOMAIN>/.well-known/jwks.json"
 ;
 ```
 
diff --git a/src/content/doc-surrealdb/tutorials/integrate-aws-cognito-as-authentication-provider.mdx b/src/content/doc-surrealdb/tutorials/integrate-aws-cognito-as-authentication-provider.mdx
index 4475c1aa0..d482a2504 100644
--- a/src/content/doc-surrealdb/tutorials/integrate-aws-cognito-as-authentication-provider.mdx
+++ b/src/content/doc-surrealdb/tutorials/integrate-aws-cognito-as-authentication-provider.mdx
@@ -254,19 +254,22 @@ USE NS test DB test;
 -- Define the public key to verify tokens issued by your AWS Cognito user pool.
 -- The name of the access method should match the custom claim that we configured before.
 DEFINE ACCESS cognito ON DATABASE TYPE RECORD
-  -- We check the token claims and map the email address to a record user.
-  AUTHENTICATE {
-    -- The issuer claim must match the URL of your AWS Cognito user pool.
-    IF $token.iss = "https://cognito-idp.<YOUR_AWS_REGION>.amazonaws.com/<YOUR_COGNITO_USER_POOL_ID>"
-    -- The audience claim must match you AWS Cognito Client ID.
-    AND $token.aud = "<YOUR_COGNITO_CLIENT_ID>"
-    -- The email address in the token must be verified as belonging to the user.
-    AND $token.email_verified = true {
-      -- We return the only user that matches the email address claim found in the token.
-      RETURN SELECT * FROM user WHERE email = $token.email
-    }
+    -- We verify the token using the public keys hosted by AWS.
+    WITH JWT URL "https://cognito-idp.<YOUR_AWS_REGION>.amazonaws.com/<YOUR_COGNITO_USER_POOL_ID>/.well-known/jwks.json"
+    -- We check the token claims and map the email address to a record user.
+    AUTHENTICATE {
+        IF (
+            -- The issuer claim must match the URL of your AWS Cognito user pool.
+            $token.iss = "https://cognito-idp.<YOUR_AWS_REGION>.amazonaws.com/<YOUR_COGNITO_USER_POOL_ID>"
+            -- The audience claim must match you AWS Cognito Client ID.
+            AND $token.aud = "<YOUR_COGNITO_CLIENT_ID>"
+            -- The email address in the token must be verified as belonging to the user.
+            AND $token.email_verified = true
+        ) {
+            -- We return the only user that matches the email address claim found in the token.
+            RETURN SELECT * FROM user WHERE email = $token.email
+        }
   }
-  WITH JWT URL "https://cognito-idp.<YOUR_AWS_REGION>.amazonaws.com/<YOUR_COGNITO_USER_POOL_ID>/.well-known/jwks.json"
 ;
 ```
 

From fb959c529ab061ece04279fa39cfbf66a518b0b1 Mon Sep 17 00:00:00 2001
From: ekwuno <Obinnacodes@gmail.com>
Date: Wed, 9 Oct 2024 08:51:15 +0100
Subject: [PATCH 2/3] Add aws changes back

---
 .../integrate-aws-cognito-as-authentication-provider.mdx       | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/content/doc-tutorials/integrate-aws-cognito-as-authentication-provider.mdx b/src/content/doc-tutorials/integrate-aws-cognito-as-authentication-provider.mdx
index 519113e2b..ad4fd54c7 100644
--- a/src/content/doc-tutorials/integrate-aws-cognito-as-authentication-provider.mdx
+++ b/src/content/doc-tutorials/integrate-aws-cognito-as-authentication-provider.mdx
@@ -184,6 +184,8 @@ USE NS test DB test;
 -- Define the public key to verify tokens issued by your AWS Cognito user pool.
 -- The name of the access method should match the custom claim that we configured before.
 DEFINE ACCESS cognito ON DATABASE TYPE RECORD
+-- We verify the token using the public keys hosted by AWS.
+ WITH JWT URL "https://cognito-idp.<YOUR_AWS_REGION>.amazonaws.com/<YOUR_COGNITO_USER_POOL_ID>/.well-known/jwks.json"
   -- We check the token claims and map the email address to a record user.
   AUTHENTICATE {
     -- The issuer claim must match the URL of your AWS Cognito user pool.
@@ -196,7 +198,6 @@ DEFINE ACCESS cognito ON DATABASE TYPE RECORD
       RETURN SELECT * FROM user WHERE email = $token.email
     }
   }
-  WITH JWT URL "https://cognito-idp.<YOUR_AWS_REGION>.amazonaws.com/<YOUR_COGNITO_USER_POOL_ID>/.well-known/jwks.json"
 ;
 ```
 

From 6fd4158dc1a4b6d3a994a625d73927113b111ad4 Mon Sep 17 00:00:00 2001
From: ekwuno <Obinnacodes@gmail.com>
Date: Wed, 9 Oct 2024 08:53:26 +0100
Subject: [PATCH 3/3] update

---
 ...aws-cognito-as-authentication-provider.mdx | 26 ++++++++++---------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/src/content/doc-tutorials/integrate-aws-cognito-as-authentication-provider.mdx b/src/content/doc-tutorials/integrate-aws-cognito-as-authentication-provider.mdx
index ad4fd54c7..5dcd207b8 100644
--- a/src/content/doc-tutorials/integrate-aws-cognito-as-authentication-provider.mdx
+++ b/src/content/doc-tutorials/integrate-aws-cognito-as-authentication-provider.mdx
@@ -185,18 +185,20 @@ USE NS test DB test;
 -- The name of the access method should match the custom claim that we configured before.
 DEFINE ACCESS cognito ON DATABASE TYPE RECORD
 -- We verify the token using the public keys hosted by AWS.
- WITH JWT URL "https://cognito-idp.<YOUR_AWS_REGION>.amazonaws.com/<YOUR_COGNITO_USER_POOL_ID>/.well-known/jwks.json"
-  -- We check the token claims and map the email address to a record user.
-  AUTHENTICATE {
-    -- The issuer claim must match the URL of your AWS Cognito user pool.
-    IF $token.iss = "https://cognito-idp.<YOUR_AWS_REGION>.amazonaws.com/<YOUR_COGNITO_USER_POOL_ID>"
-    -- The audience claim must match you AWS Cognito Client ID.
-    AND $token.aud = "<YOUR_COGNITO_CLIENT_ID>"
-    -- The email address in the token must be verified as belonging to the user.
-    AND $token.email_verified = true {
-      -- We return the only user that matches the email address claim found in the token.
-      RETURN SELECT * FROM user WHERE email = $token.email
-    }
+    WITH JWT URL "https://cognito-idp.<YOUR_AWS_REGION>.amazonaws.com/<YOUR_COGNITO_USER_POOL_ID>/.well-known/jwks.json"
+    -- We check the token claims and map the email address to a record user.
+    AUTHENTICATE {
+        IF (
+            -- The issuer claim must match the URL of your AWS Cognito user pool.
+            $token.iss = "https://cognito-idp.<YOUR_AWS_REGION>.amazonaws.com/<YOUR_COGNITO_USER_POOL_ID>"
+            -- The audience claim must match you AWS Cognito Client ID.
+            AND $token.aud = "<YOUR_COGNITO_CLIENT_ID>"
+            -- The email address in the token must be verified as belonging to the user.
+            AND $token.email_verified = true
+        ) {
+            -- We return the only user that matches the email address claim found in the token.
+            RETURN SELECT * FROM user WHERE email = $token.email
+        }
   }
 ;
 ```