Event
The event that the lambda authorizer expect have the following format. More info you can find on the link
{
"type": "TOKEN",
"methodArn": "arn:aws:execute-api:{regionId}:{accountId}:{apiId}/{stage}/{httpVerb}/{resource}",
"authorizationToken": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciO......"
}
Cognito Bearer Token
The Cognito the token that creates have the following format. More info you can find on the link
{
"at_hash":"123123",
"sub":"98cfee32-3adc-11ea-81ed-9cb70d06741b",
"cognito:groups":[
"admin"
],
"iss":"https://cognito-idp.{regionId}.amazonaws.com/{userpoolID}",
"cognito:username":"test@klarna.com",
"nonce":"n-0S6_WzA2Mj",
"aud":"{clientID}",
"token_use":"id",
"auth_time":1500009400,
"exp":1500013000,
"iat":1500009400,
"email":"test@test.com"
}
- Confirm the Structure of the JWT
- Validate the JWT Signature
-
Get public JSON Web Keys (JWK)
ex.: https://cognito-idp.{regionId}.amazonaws.com/{userpoolID}/.well-known/jwks.json
-
Find the find based on
kid
in JWK and on the JWT token
-
- Verify the Claims
-
The audience (aud) claim should match the app client ID created in the Amazon Cognito user pool.
-
Verify that the token is not expired.
-
The issuer (iss) claim should match your user pool.
ex.: https://cognito-idp.{regionId}.amazonaws.com/{userpoolID}
-
More info you can find on the link
Amazon API Gateway expect the following format. More info you can find on the link
{
"principalId": "yyyyyyyy",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow|Deny",
"Resource": "arn:aws:execute-api:{regionId}:{accountId}:{apiId}/{stage}/{httpVerb}/{resource}/{child-resources}"
}
]
},
"context": {
"stringKey": "value",
"numberKey": "1",
"booleanKey": "true"
},
"usageIdentifierKey": "{api-key}"
}
For the deployment of the demo I use the serverless framework.
- Serverless framework
- Cognito User pool
- UserPoolClient
We need to provide the {clientID}
and the {userpoolID}
from our Cognito User pool
sls deploy --userPoolClientId='{clientID}' --userPoolId='{userpoolID}'