aws api gateway validation and authorisation

0 votes

TL;DR I want to make sure that the userid passed in the HTTP body and the claim subject in the token matches, else its a spoof request

Very interesting scenario , look at this HTTP post request

POST /v1/details HTTP/1.1
Host: api.abc.com
Authorization: eyJraWQiOiJwV2FIVXBhXC9NMUZtbXROSTRhblwvTFBxTmhSU1pKRmJKa3NMN2dHWE51bWM9IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIzYWUxMzYzZC1kY2UzLTQ5NjEtYmVkZS1jY2RmYTE3YzY0MTciLCJhdWQiOiIxa2NyNTAxamRkanJnaGNsb3FobnVxdmtmOSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiZXZlbnRfaWQiOiI2Y2JkNTk5OC1mOTgzLTExZTctOTYxNC1jMWEyMWM4YjNmOWEiLCJ0b2tlbl91c2UiOiJpZCIsImF1dGhfdGltZSI6MTUxNTk3Mjg1MSwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tXC91cy1lYXN0LTFfZkZyNWt6anYzIiwiY29nbml0bzp1c2VybmFtZSI6InRlc3RzdnRpZDFAbG92ZWR3ZWFsdGguY29tIiwiZXhwIjoxNTE1OTc2NDUxLCJpYXQiOjE1MTU5NzI4NTEsImVtYWlsIjoidGVzdHN2dGlkMUBsb3ZlZHdlYWx0aC5jb20ifQ.V9Gl_xDPx8z4-bd3TDjWTrBo3mVBo9vyYDXOTvMZ-lQRACBvSaK26QOcVCRE1FDJiKBfv4y3ckRGRI3p1T_SnY-rusvfN8rxiRD_kG34W0WF586RpXUGmQ9bL-F7IpVO5Bg1NqlBt3SZjzPWR1xyUxujbs2V-7u6K0dt7Nnv9Tb3H09jYqfwyE6Zu_MqOO9kztFu_SzIXy83pMujE34bVmLTABcJuAFKePDyTRB4tKB_u8ago0VmCnm0ivlivGY8GQsu2tMajA02ihwmXgoX5zDHcyFpYexoY2OtM9m8J62VNgeHjKgkLjlobyC-fL4fG4DbSg42hnEshA2Mz0GYlA
Accept: application/json
Content-Type: application/json
Cache-Control: no-cache
{
    "query":"{\n  sprouts_detail(user_id: \"3ae1363d-dce3-4961-bede-ccdfa17c6417\") {\n    sprouts_detail {\n      sprout_id\n   }\n  }  \n}","variables":null,"operationName":null 
}

In the header is the cogntio token with user credentials , and the user claims

I can get access to user claims using body templates , like this , but it doesn't seem to work inside model

{
    "sub" : "$context.authorizer.claims.sub"
}

Question :- I wanted to verify if the $context.authorizer.claims.sub is the same as in the graphql query user_id field in the POST body

"query":"{\n  sprouts_detail(user_id: \"3ae1363d-dce3-4961-bede-ccdfa17c6417\")

if its same, let it pass through, if its not the same, deny it and throw 403 forbidden

Not working

{  
   "$schema":"http://json-schema.org/draft-04/schema#",
   "definitions":{  
      "GraphQLAuthorizationModel":{  
         "type":"object",
         "title":"GraphQLAuthorizationModel",
         "properties":{  
            "query":{  
               "oneOf":[  
                  {  
                     "pattern":"$context.authorizer.claims.sub"
                  }
               ],
               "type":"string"
            }
         },
         "required":[  
            "query"
         ]
      }
   }
}

However if i change $context.authorizer.claims.sub with say user_id , it works as expected and check for the user_id string in the http body payload

Oct 10, 2018 in AWS by eatcodesleeprepeat
 • 4,710 points 1,741 views

1 answer to this question.

0 votes
I think we can use request validators, instead of integration request templates. However i am not sure, if we have access to the context object there basically , we need to come up with a JSON schema, which can validate the userid from cognitor inside the body of the HTTP request , hope it makes sense
answered Oct 10, 2018 by Priyaj
 • 58,020 points

Related Questions In AWS

0 votes
1 answer

Experimenting with AWS API Gateway default response and triggering AWS Lambda

You can try out the following steps  Post ...READ MORE

answered Aug 16, 2018 in AWS by Deepthi
 • 300 points 2,193 views
+1 vote
3 answers

Invoking AWS Lambda API Gateway vs Direct Invocation

Most of the time, adding API Gateway ...READ MORE

answered Apr 17, 2018 in AWS by Flying geek
 • 3,280 points 6,788 views
0 votes
2 answers

Adding swagger to existing aws lambda (API Gateway)

I have only used Swagger with API ...READ MORE

answered Aug 20, 2018 in AWS by Priyaj
 • 58,020 points 4,969 views
+1 vote
3 answers

Not able to pass params POST to AWS Lambda from Amazon API Gateway

For this template : application/x-www-form-urlencoded  This line below will ...READ MORE

answered Jun 13, 2018 in AWS by Cloud gunner
 • 4,670 points 9,852 views
0 votes
1 answer

How to make ApiGateway point to specific Lambda bias

You actually need to make changes to ...READ MORE

answered Dec 21, 2018 in AWS by Archana
 • 5,640 points 2,151 views
0 votes
1 answer

Get the names of different stages in an AWS Lambda function?

How to get the name of the ...READ MORE

answered Sep 27, 2018 in AWS by Priyaj
 • 58,020 points 3,973 views
0 votes
1 answer

how to access AWS S3 from Lambda in VPC

With boto3, the S3 urls are virtual by default, ...READ MORE

answered Sep 28, 2018 in AWS by Priyaj
 • 58,020 points 11,114 views
0 votes
1 answer

How to map, trace and display AWS X-Ray GoLang Lambda to lambda service

You don't need to add a subsegment ...READ MORE

answered Oct 15, 2018 in AWS by Priyaj
 • 58,020 points 2,916 views
0 votes
1 answer

How can I return binary body and http headers from an AWS lambda through API gateway

I recently got this working after facing ...READ MORE

answered Sep 4, 2018 in AWS by Priyaj
 • 58,020 points 8,873 views
+1 vote
2 answers

Starting with an AWS Instance with API and AUTHPARAMS

The API is usually much easier to ...READ MORE

answered Apr 17, 2018 in AWS by Cloud gunner
 • 4,670 points 4,780 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP
"PMP®","PMI®", "PMI-ACP®" and "PMBOK®" are registered marks of the Project Management Institute, Inc. MongoDB®, Mongo and the leaf logo are the registered trademarks of MongoDB, Inc.