Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

API Gateway HTTP API > JWT authorizer > VPC Link > ECS instance - How to access JWT claims?

1

I know if you use a Lambda integration with a JWT authorizer, the claims are added to event.requestContext. But when the request is sent to a server (in my case Node.js) running on an ECS instance, is there a way to access those claims? Or do I need to decode the token again? Many thanks.

Argomenti
ServerlessFront-end web e dispositivi mobiliNetworking e distribuzione di contenutiContainer
Tag
Gateway API di AmazonAWS FargateEquilibratore di carico applicazioni
Lingua
English
James Starkie
posta 9 mesi fa419 visualizzazioni
1 Risposta
1
Risposta accettata

Hi James, thanks for asking this question on re:Post!

You can use Parameter mapping feature of the HTTP API integration to add claims from the context of your JWT authorizer as custom headers of the request forwarded to the server. Please see the screenshot below.

Appending a custom header to the request

The claim path example $context.authorizer.jwt.claims.emailID can be found in our documentation. Please let us know if this solution worked for you!

AWS
Piotrek
con risposta 9 mesi fa
profile pictureAWS
ESPERTO
secondabhi_aws
verificato 9 mesi fa
  • James Starkie
    9 mesi fa

    Thanks Piotrek, that's great! Just one issue I've found one of the claims I want to forward is cognito:username. The colon seems to be causing problems in the parameter mapping, with an error

    Invalid mapping expression specified: Validation Result: warnings : [], errors : [Invalid mapping expression specified: $context.authorizer.claims.cognito:username]

    I've tried various ways around it but nothing is working, any suggestions?

    Many thanks

  • James Starkie
    9 mesi fa

    Unfortunately cognito:username and cognito:groups are the two claims I'm most interested in. I'll have to stick to decoding the token on the server for now. Thanks for your help!

  • Piotrek
    5 mesi fa

    Sure! For the additional issue you mentioned, it seems that the properties/paths containing a colon are not supported the moment. I was able to find a similar known issue for ALB integration deployed with CDK, and made sure to provide more context that will help us to prioritise this issue. Are you able to use any other claims (without colons) to satisfy your use case? Alternatively, like you noted, it should be possible to decode the token again on the server side.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente