2

我制作了一个自定义 lambda 授权器来验证 JWT 并返回Allow策略。

 var context = new APIGatewayCustomAuthorizerContextOutput();

 var tokenUse = ExtractClaims(claims, "token_use");
 context["tokenType"] = tokenUse;
 var response = new APIGatewayCustomAuthorizerResponse
 {
     PrincipalID = "asd",
     PolicyDocument = new APIGatewayCustomAuthorizerPolicy
     {
         Version = "2012-10-17",
         Statement = new List<APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement>()
         {
             new APIGatewayCustomAuthorizerPolicy.IAMPolicyStatement
             {
                 Action = new HashSet<string>() {"execute-api:Invoke"},
                 Effect = "Allow",
                 Resource = new HashSet<string>() {"***"} // resource arn here
              }
          },
      },
      Context = context
 };

 return response;

现在我需要在我的资源服务器上使用这个身份。

问题是我在授权人上下文中提出的声明authorizer直接出现在

 "authorizer": {
            "cognito:groups": "Admin", ...
 }

但我Amazon.Lambda.AspNetCoreServer.APIGatewayProxyFunction希望那些在authorizer.claims.

像这样:

 "authorizer": {
            "claims": {
                "cognito:groups": "Admin", ... 
             }
  }

我知道这一点,因为当我使用内置的 Cognito 用户池授权器时它正在工作,它正在输入这样的输入。

我设法发现不允许 Lambda Authorizer 将嵌套对象添加到上下文中(并测试authorizer error如果我这样做它会抛出。)

我还发现,在APIGatewayProxyFunction提取身份时,它会查看 Authorizer.Claims。

因此,我需要以某种方式绕过Claims属性在我的资源服务器上提取它们,或者将嵌套对象添加到授权方响应中,这是不允许的。

做什么?

4

1 回答 1

2

所以我通过覆盖PostCreateContext我的LambdaEntryPoint : Amazon.Lambda.AspNetCoreServer.APIGatewayProxyFunction.

protected override void PostCreateContext(
        HostingApplication.Context context,
        APIGatewayProxyRequest apiGatewayRequest, ILambdaContext lambdaContext)
{
        // handling output from cognito user pool authorizer
        if (apiGatewayRequest?.RequestContext?.Authorizer?.Claims != null)
        {
            var identity = new ClaimsIdentity(apiGatewayRequest.RequestContext.Authorizer.Claims.Select(
                entry => new Claim(entry.Key, entry.Value.ToString())), "AuthorizerIdentity");

            context.HttpContext.User = new ClaimsPrincipal(identity);
            return;
        }

        // handling output from lambda authorizer
        if (apiGatewayRequest?.RequestContext?.Authorizer != null)
        {
            var identity = new ClaimsIdentity(apiGatewayRequest.RequestContext.Authorizer.Select(
                entry => new Claim(entry.Key, entry.Value.ToString())), "AuthorizerIdentity");

            context.HttpContext.User = new ClaimsPrincipal(identity);
        }
    }

编辑:还向修复此问题的 aws-lambda-dotnet 库提交了拉取请求。

编辑 2:我的拉取请求已经合并了一段时间,如果使用最新版本,这不再是问题Amazon.Lambda.AspNetCoreServer(不确定哪个版本首先拥有它,但 3.1.0 肯定有)

于 2019-03-05T08:44:13.900 回答