I made a custom lambda authorizer that validates the JWT and returns Allow
policy.
var context = new APIGatewayCustomAuthorizerContextOutput();
var tokenUse = ExtractClaims(claims, "token_use");
context["tokenType"] = tokenUse;
var response = new APIGatewayCustomAuthorizerResponse
{
PrincipalID = "asd",
PolicyDocument = new APIGatewayCustomAuthorizerPolicy
{
Version = "2012-10-17",
Statement = new List<APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>()
{
new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
{
Action = new HashSet<string>() {"execute-api:Invoke"},
Effect = "Allow",
Resource = new HashSet<string>() {"***"} // resource arn here
}
},
},
Context = context
};
return response;
Now I need to use this Identity on my resource server.
The problem is that the claims I put in the authorizer context appears under authorizer
directly
"authorizer": {
"cognito:groups": "Admin", ...
}
but my Amazon.Lambda.AspNetCoreServer.APIGatewayProxyFunction
expects those under authorizer.claims
.
like such:
"authorizer": {
"claims": {
"cognito:groups": "Admin", ...
}
}
And I know that, because it was working when I was using the built in Cognito User Pool authorizer, which was making the input like that.
I managed to find that Lambda Authorizer is not allowed to add nested objects to the context (and tested that it throws authorizer error
if I do.)
I also found that when APIGatewayProxyFunction
is extracting the Identity, it looks at Authorizer.Claims.
So I need to either extract them on my resource server bypassing the Claims
property somehow, or add a nested object to the authorizer response, which is not allowed.
What do?