Is it possible to make an http api authorizer limi...
# helpg
Garret Harp
08/06/2021, 10:11 PMIs it possible to make an http api authorizer limit routes to users that are in an "Admin" group in cognito or would I need to check their group in the actual lambda function?
f
Frank
08/06/2021, 10:12 PM
I think this is possible with a Custom authorizer.. not sure if the JWT authorizer supports this out of the box
Frank
08/06/2021, 10:13 PM
just my gut feeling… haven’t done something like this… 😁
g
Garret Harp
08/06/2021, 10:15 PMFigured that might be the case, thanks for the input
s
Sam Hulick
08/06/2021, 10:16 PMFrank’s right, your Lambda function would have to check the claims. custom authorizer might be able to do it.. but if I’m not mistaken, a customer authorizer is powered by a Lambda function, so it may or may not be worth doing that
a
Adrián Mouly
08/06/2021, 11:05 PMYes, custom authorizer it’s basically a lambda that you can implement your custom logic, we use it to verify the JWT and do other checks too.
g
Garret Harp
08/07/2021, 1:56 AMWith the auth example for cognito on https://docs.serverless-stack.com/constructs/Api#adding-auth
What does making defaultAuthorizationScopes = ['user.id', 'user.email'] do?
Not sure I understand what the docs say about it.
f
Frank
08/07/2021, 2:27 AM
@Garret Harp can you see if this helps https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html
Frank
08/07/2021, 2:28 AM
I haven’t tried using JWT with Cognito user pool, but here’s what I gather from reading the doc
API Gateway allows or denies requests based on token validation, and optionally, scopes in the token. If you configure scopes for a route, the token must include at least one of the route’s scopes.
8 Views