0

语境

我正在重写一个 ASP.NET Core 应用程序,从在 lambda 上运行到在 ECS 容器上运行。Lambda 开箱即用地支持从 Cognito Authorizer 注入的声明,但 Kestrel 不支持。

API 请求通过 API 网关进入,其中 Cognito 用户池授权方正在验证 OAuth2 令牌并丰富从令牌到 httpContext 的声明。

最初,该应用程序在入口点继承的 lambda 上运行Amazon.Lambda.AspNetCoreServer.APIGatewayProxyFunction,它提取这些声明并将它们添加到Request.HttpContext.User.Claims.

Kestrel 当然不支持这一点, AWS ASPNET Cognito 身份提供者似乎是为了执行授权人正在做的相同事情。

解决方案?

所以我想到也许我可以添加一些自定义代码来提取它。注入 lambda 的 HTTP 请求看起来像这样,所以我希望它在代理到 ECS 时应该是一样的

{
"resource": "/{proxy+}",
"path": "/api/authtest",
"httpMethod": "GET",
"headers": {
    <...>
},
"queryStringParameters": null,
"pathParameters": {
    "proxy": "api/authtest"
},
"requestContext": {
    "resourceId": "8gffya",
    "authorizer": {
        "cognito:groups": "Admin",
        "phone_number_verified": "true",
        "cognito:username": "normj",
        "aud": "3mushfc8sgm8uoacvif5vhkt49",
        "event_id": "75760f58-f984-11e7-8d4a-2389efc50d68",
        "token_use": "id",
        "auth_time": "1515973296",
        "you_are_special": "true"
    }
<...>
}

是否有可能,我该如何将所有键/值对从requestContext.authorizerto添加Request.HttpContext.User.Claims

4

1 回答 1

0

我为此找到了不同的解决方案。

而不是尝试修改HttpContext我将授权方输出映射到 API Gateway 集成中的请求标头。这样做的缺点是每个声明都需要进行硬编码,因为似乎无法对其进行迭代。

示例地形

resource "aws_api_gateway_integration" "integration" {
  rest_api_id             = "${var.aws_apigateway-id}"
  resource_id             = "${aws_api_gateway_resource.proxyresource.id}"
  http_method             = "${aws_api_gateway_method.method.http_method}"
  integration_http_method = "ANY"
  type                    = "HTTP_PROXY"
  uri                     = "http://${aws_lb.nlb.dns_name}/{proxy}"

  connection_type = "VPC_LINK"
  connection_id   = "${aws_api_gateway_vpc_link.is_vpc_link.id}"

  request_parameters = {
    "integration.request.path.proxy"                     = "method.request.path.proxy"
    "integration.request.header.Authorizer-ResourceId"   = "context.authorizer.resourceId"
    "integration.request.header.Authorizer-ResourceName" = "context.authorizer.resourceName"
    "integration.request.header.Authorizer-Scopes"       = "context.authorizer.scopes"
    "integration.request.header.Authorizer-TokenType"    = "context.authorizer.tokenType"
  }
}
于 2019-05-23T07:31:14.177 回答