AWS API Gateway自定义授权者角色验证
[英]AWS API Gateway Custom Authorizer Role Validation
问题描述
Is there any way of specifying allowed scopes on an API Gateway method such that the allowed scopes are passed to a custom authorizer and validated against the scopes claim in an access token. 
是否有任何方法可以在API网关方法上指定允许的范围,以便将允许的范围传递给自定义授权者并针对访问令牌中的范围声明进行验证。
Eg a get users endpoint might be available to all users but a create user endpoint only available to an users with the create:user scope. 例如,获取用户端点可能对所有用户可用,但是创建用户端点仅对具有create:user范围的用户可用。 As well as ensuring the access token is valid the custom authorizer would check the scope claim in the token and compare it to the allowed scopes for the method. 除了确保访问令牌有效之外,定制授权者还将检查令牌中的范围声明,并将其与该方法的允许范围进行比较。
Would prefer not to have to write a different authorizer function for each combination of required scopes. 不必为所需范围的每种组合编写不同的授权者函数。
I notice something like this is possible with Cognito, but my identity provider / token issuer is Auth0 so using Lambda function to validate the access token 我注意到Cognito可能会发生这种情况,但是我的身份提供者/令牌发行者是Auth0,因此使用Lambda函数来验证访问令牌
Kind regards 亲切的问候
1 个解决方案
解决方案1
-1 已采纳 2019-04-16 09:58:58
You should be able to use single Lambda Authorizer to protect both endpoints based on the token scope. 您应该能够使用单个Lambda Authorizer基于令牌范围保护两个端点。 You will want to use Request based Enhanced Lambda Authorizer 您将要使用基于请求的增强型Lambda授权器
You pass the access token in the Authorization header and verify the access token signature and expiration before processing the request. 您在Authorization标头中传递访问令牌,并在处理请求之前验证访问令牌签名和有效期。
An example of Event object received by the authorizer: 授权者收到的Event对象的示例:
{
"methodArn": "arn:aws:execute-api:us-east-1:XXXXXXXXXX:xxxxxx/dev/GET/hello",
"resource": "/hello",
"requestContext": {
"resourceId": "xxxx",
"apiId": "xxxxxxxxx",
"resourcePath": "/hello",
"httpMethod": "GET",
"requestId": "9e04ff18-98a6-11e7-9311-ef19ba18fc8a",
"path": "/dev/hello",
"accountId": "XXXXXXXXXXX",
"identity": {
"apiKey": "",
"sourceIp": "58.240.196.186"
},
"stage": "dev"
},
"queryStringParameters": {},
"httpMethod": "GET",
"pathParameters": {},
"headers": {
"cache-control": "no-cache",
"x-amzn-ssl-client-hello": "AQACJAMDAAAAAAAAAAAAAAAAAAAAAAAAAAAA…",
"Accept-Encoding": "gzip, deflate",
"X-Forwarded-For": "54.240.196.186, 54.182.214.90",
"Accept": "*/*",
"User-Agent": "PostmanRuntime/6.2.5",
"Authorization": "hello"
},
"stageVariables": {},
"path": "/hello",
"type": "REQUEST"
}
You can identify the request by combination of event.requestContext.resourcePath and event.requestContext.httpMethod . 您可以通过event.requestContext.resourcePath和event.requestContext.httpMethod组合来标识请求。 Based on the request type and the scope defined in the token you can return Allowed or Denied policy. 根据请求类型和令牌中定义的范围,您可以返回“允许”或“拒绝”策略。 If, for example, request is for create user endpoint but access token don't include create:user scope then you will return policy to deny the request. 例如,如果请求是针对创建用户端点的,但访问令牌不包括create:user范围,则您将返回策略以拒绝该请求。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.