How do you specify the JWT scope for a single rout...
# sstr
Roger Rajaratnam
03/04/2021, 5:46 PMHow do you specify the JWT scope for a single route?
Roger Rajaratnam
03/04/2021, 5:47 PMIf my claims look like this:
Copy code
{
"sub": "5B22A526-C5C5-4D02-ADBC-95709E2CAE22",
"cognito:groups": [
"test"
],
"event_id": "EE18407B-3E10-4E95-A549-EA93BE094687",
"token_use": "access"
}Roger Rajaratnam
03/04/2021, 5:49 PMHow can I secure the route so that a user must have cognito:groups === “test”
Roger Rajaratnam
03/04/2021, 5:49 PMCan I set authorizationScopes on a route level?
f
Frank
03/04/2021, 6:48 PM
I’m not too familiar with JWT. You are trying to assign different scopes to different routes so some routes are accessible for some users while others are not. Is that right?
r
Roger Rajaratnam
03/04/2021, 7:36 PMYeah
Roger Rajaratnam
03/04/2021, 7:37 PMBasically I was to say this route requires this scope
Roger Rajaratnam
03/04/2021, 7:37 PMI can do the check in the lambda code, but it would be nice if I could do it in the route defintion
Roger Rajaratnam
03/04/2021, 7:39 PM Copy code
"GET /private": {
function: "src/private.main",
authorizationType: sst.ApiAuthorizationType.JWT,
authorizationScopes: ["cognito:groups == test"]
},Roger Rajaratnam
03/04/2021, 7:39 PMI thought something like this, but I am not sure if this will work, the docs are not to clear
f
Frank
03/04/2021, 7:40 PM
Not right now.. but let me put that in today
r
Roger Rajaratnam
03/04/2021, 7:41 PMThe cognito groups is coming back as an array so I’m not sure how your would check for a value in an array here
f
Frank
03/04/2021, 7:41 PM
Yeah.. the example snippet is what I have in mind too
r
Roger Rajaratnam
03/04/2021, 7:42 PMYou can do defaultAuthorizationScopes: [“username”, “sub”]
Roger Rajaratnam
03/04/2021, 7:42 PMThese work, an objects work as well
Roger Rajaratnam
03/04/2021, 7:43 PMThat’s awesome @Frank thank you for being so responsive.
f
Frank
03/04/2021, 8:14 PM
No worries. For reference: https://github.com/serverless-stack/serverless-stack/issues/193
Frank
03/06/2021, 6:43 AM
@Roger Rajaratnam Just added support for this in v0.9.15
To update
Copy code
$ npm install --save --save-exact @serverless-stack/cli@0.9.15 @serverless-stack/resources@0.9.15authorizationScopes Copy code
"GET /private": {
function: "src/private.main",
authorizationScopes: ["user.email"]
},Frank
03/06/2021, 6:43 AM
Give it a try and let me know if it works for you.
r
Roger Rajaratnam
03/06/2021, 11:12 AM@Frank did you manage to add the ability to check array values?
f
Frank
03/06/2021, 11:11 PM
@Roger Rajaratnam I’m not too familiar with JWT. I know u can do this with a Lambda authorizer.. I’m not sure if you can have conditions in the scope like you suggested
["cognito:groups == test"]Frank
03/06/2021, 11:11 PM
If you find something, definitely let me know.. it’d be useful to add it to the doc.
Frank
03/06/2021, 11:17 PM
5 Views