Is it possible to craft an identity source that will read the JWT from a cookie?

1

I have a customer looking at API Gateway but does not want to write a custom authorizer, but rather would like to use native JWT integration.

The customer has researched into HTTP APIs and know that HTTP APIs can make use of JWT authorization by specifying an identity source of $request.header. Authorization (https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html).

There's a description of identity sources but it's not clear how, or if it's possible, to reference a cookie: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html#http-api-lambda-authorizer.identity-sources

Is this possible, or do we have a workaround?

profile pictureAWS
EXPERT
pechung
asked 4 years ago1182 views
1 Answer
0
Accepted Answer

from doc: "For JWT, a single entry that specifies where to extract the JSON Web Token (JWT) from inbound requests. Currently only header-based and query parameter-based selections are supported, for example $request.header.Authorization."

As a workaround you can use a Lambda authorizer that will get the full request and validate the token.

profile pictureAWS
EXPERT
Uri
answered 4 years ago
  • I've stumbled upon https://stackoverflow.com/questions/60861268/ which references an archived AWS Forums post and says that there is a backlog request to support Cookies with Token-based authorizers. However, since the post is archived I cannot tell if it contained the link to that backlog request or not. Uri, do you happen to know if such request exists so we could +1 it?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions