Geek Answers Handbook

Correct identifier value for standard API authorizer via Lambda?

I am using a new API gateway function with Lambda functions to use custom autostart ( https://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html ).

The authorizer uses JWT tokens to verify the token for the current context and user areas (s). Everything works fine, but there is one concept regarding AWS policies that I cannot understand from the documentation.

The result of the Custom Authorizer function must be an object containing two things:

  • principalId -
  • policyDocument - a valid policy document with instructions that allows authorized access to Lambda resources, steps, etc.

Now, examples for user authorizers now display almost arbitrary values ​​for the principalId variable. But if I think correctly, should this principalId be unique to each user? And it may have a user-specific unique value (for example, token.userId or token.email ).

If this is true, then for my code provided below, if the JWT token is not valid, then I do not have access to userId or email , and you do not have a hint on what to set principalId to. I temporarily bind it to user to get something for Deny's policy to ensure that 403 Forbidden answer.

Does anyone have a hint on the best ways to configure principalId for custom autostart?

 var jwt = require('jsonwebtoken'); var JWT_SECRET = 'My$ecret!'; /** * Implicit AWS API Gateway Custom Authorizer. Validates the JWT token passed * into the Authorization header for all requests. * @param {Object} event [description] * @param {Object} context [description] * @return {Object} [description] */ exports.handler = function(event, context) { var token = event.authorizationToken; try { var decoded = jwt.verify(token, JWT_SECRET); context.done(null, generatePolicy(decoded.id, 'Allow', 'arn:aws:execute-api:*:*:*')); } catch(ex) { console.error(ex.name + ": " + ex.message); context.done(null, generatePolicy('user', 'Deny', 'arn:aws:execute-api:*:*:*')); } }; function generatePolicy(principalId, effect, resource) { var authResponse = {}; authResponse.principalId = principalId; if (effect && resource) { var policyDocument = {}; policyDocument.Version = '2012-10-17'; // default version policyDocument.Statement = []; var statementOne = {}; statementOne.Action = 'execute-api:Invoke'; // default action statementOne.Effect = effect; statementOne.Resource = resource; policyDocument.Statement[0] = statementOne; authResponse.policyDocument = policyDocument; } return authResponse; }
+7
amazon-web-services aws-lambda jwt aws-api-gateway
source share
1 answer

PrincipId is intended to represent a long-term identifier for any object that is allowed to make an API call. Therefore, if you have an existing user database, each user appears to have a unique identifier or username. You mentioned "user", which is probably fine. Functionally, mainId is logged if you enable CloudWatch logs, as well as what you can get in $ context for pattern matching.

In terms of design for your function, you have two options for working with an invalid token.

  • If you return a valid deny access policy, this will help you cache the token-related policy if it is reused, so you get fewer Lambda calls. However, the client can receive 403 and consider that the token is valid, but they do not have access to the requested resource.

  • context.fail("Unauthorized") will send a response to client 401 , which should indicate to them that the token is invalid. This will help the client, but also lead to more calls to the function if the client re-plays the bad token. Negative caching is currently not available in this function, but another way of providing moderate protection is to use "identityValidationExpresion" β†’ http://docs.aws.amazon.com/apigateway/api-reference/resource/authorizer/#identityValidationExpression

In addition, I highly recommend that you port this to a new Lambda function based on the apigateway-authorizer-nodejs project, as the sample code in the documents is minimal and is for illustration only. There are many comments in the plan that document various applications, such as denial (β€œUnauthorized”).

+5
source share

More articles:


All Articles