AWS API Gateway Custom Authorizer Role Validation

Question

Is there any way of specifying allowed scopes on an API Gateway method such that the allowed scopes are passed to a custom authorizer and validated against the scopes claim in an access token.

Eg a get users endpoint might be available to all users but a create user endpoint only available to an users with the create:user scope. As well as ensuring the access token is valid the custom authorizer would check the scope claim in the token and compare it to the allowed scopes for the method.

Would prefer not to have to write a different authorizer function for each combination of required scopes.

I notice something like this is possible with Cognito, but my identity provider / token issuer is Auth0 so using Lambda function to validate the access token

Kind regards

Answer 1

You should be able to use single Lambda Authorizer to protect both endpoints based on the token scope. You will want to use Request based Enhanced Lambda Authorizer

You pass the access token in the Authorization header and verify the access token signature and expiration before processing the request.

An example of Event object received by the authorizer:

{
    "methodArn": "arn:aws:execute-api:us-east-1:XXXXXXXXXX:xxxxxx/dev/GET/hello",
    "resource": "/hello",
    "requestContext": {
        "resourceId": "xxxx",
        "apiId": "xxxxxxxxx",
        "resourcePath": "/hello",
        "httpMethod": "GET",
        "requestId": "9e04ff18-98a6-11e7-9311-ef19ba18fc8a",
        "path": "/dev/hello",
        "accountId": "XXXXXXXXXXX",
        "identity": {
            "apiKey": "",
            "sourceIp": "58.240.196.186"
        },
        "stage": "dev"
    },
    "queryStringParameters": {},
    "httpMethod": "GET",
    "pathParameters": {},
    "headers": {
        "cache-control": "no-cache",
        "x-amzn-ssl-client-hello": "AQACJAMDAAAAAAAAAAAAAAAAAAAAAAAAAAAA…",
        "Accept-Encoding": "gzip, deflate",
        "X-Forwarded-For": "54.240.196.186, 54.182.214.90",
        "Accept": "*/*",
        "User-Agent": "PostmanRuntime/6.2.5",
        "Authorization": "hello"
    },
    "stageVariables": {},
    "path": "/hello",
    "type": "REQUEST"
}

You can identify the request by combination of event.requestContext.resourcePath and event.requestContext.httpMethod . Based on the request type and the scope defined in the token you can return Allowed or Denied policy. If, for example, request is for create user endpoint but access token don't include create:user scope then you will return policy to deny the request.