By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

API Gateway HTTP API > JWT authorizer > VPC Link > ECS instance - How to access JWT claims?

1

I know if you use a Lambda integration with a JWT authorizer, the claims are added to event.requestContext. But when the request is sent to a server (in my case Node.js) running on an ECS instance, is there a way to access those claims? Or do I need to decode the token again? Many thanks.

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliveryContainers
Tags
Amazon API GatewayAWS FargateApplication Load Balancer
Language
English
James Starkie
asked 8 months ago400 views
1 Answer
1
Accepted Answer

Hi James, thanks for asking this question on re:Post!

You can use Parameter mapping feature of the HTTP API integration to add claims from the context of your JWT authorizer as custom headers of the request forwarded to the server. Please see the screenshot below.

Appending a custom header to the request

The claim path example $context.authorizer.jwt.claims.emailID can be found in our documentation. Please let us know if this solution worked for you!

AWS
Piotrek
answered 8 months ago
profile pictureAWS
EXPERT
secondabhi_aws
reviewed 8 months ago
  • James Starkie
    8 months ago

    Thanks Piotrek, that's great! Just one issue I've found one of the claims I want to forward is cognito:username. The colon seems to be causing problems in the parameter mapping, with an error

    Invalid mapping expression specified: Validation Result: warnings : [], errors : [Invalid mapping expression specified: $context.authorizer.claims.cognito:username]

    I've tried various ways around it but nothing is working, any suggestions?

    Many thanks

  • James Starkie
    8 months ago

    Unfortunately cognito:username and cognito:groups are the two claims I'm most interested in. I'll have to stick to decoding the token on the server for now. Thanks for your help!

  • Piotrek
    5 months ago

    Sure! For the additional issue you mentioned, it seems that the properties/paths containing a colon are not supported the moment. I was able to find a similar known issue for ALB integration deployed with CDK, and made sure to provide more context that will help us to prioritise this issue. Are you able to use any other claims (without colons) to satisfy your use case? Alternatively, like you noted, it should be possible to decode the token again on the server side.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content