aws api gateway validation and authorisation

0 votes

TL;DR I want to make sure that the userid passed in the HTTP body and the claim subject in the token matches, else its a spoof request

Very interesting scenario , look at this HTTP post request

POST /v1/details HTTP/1.1
Host: api.abc.com
Authorization: eyJraWQiOiJwV2FIVXBhXC9NMUZtbXROSTRhblwvTFBxTmhSU1pKRmJKa3NMN2dHWE51bWM9IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIzYWUxMzYzZC1kY2UzLTQ5NjEtYmVkZS1jY2RmYTE3YzY0MTciLCJhdWQiOiIxa2NyNTAxamRkanJnaGNsb3FobnVxdmtmOSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiZXZlbnRfaWQiOiI2Y2JkNTk5OC1mOTgzLTExZTctOTYxNC1jMWEyMWM4YjNmOWEiLCJ0b2tlbl91c2UiOiJpZCIsImF1dGhfdGltZSI6MTUxNTk3Mjg1MSwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tXC91cy1lYXN0LTFfZkZyNWt6anYzIiwiY29nbml0bzp1c2VybmFtZSI6InRlc3RzdnRpZDFAbG92ZWR3ZWFsdGguY29tIiwiZXhwIjoxNTE1OTc2NDUxLCJpYXQiOjE1MTU5NzI4NTEsImVtYWlsIjoidGVzdHN2dGlkMUBsb3ZlZHdlYWx0aC5jb20ifQ.V9Gl_xDPx8z4-bd3TDjWTrBo3mVBo9vyYDXOTvMZ-lQRACBvSaK26QOcVCRE1FDJiKBfv4y3ckRGRI3p1T_SnY-rusvfN8rxiRD_kG34W0WF586RpXUGmQ9bL-F7IpVO5Bg1NqlBt3SZjzPWR1xyUxujbs2V-7u6K0dt7Nnv9Tb3H09jYqfwyE6Zu_MqOO9kztFu_SzIXy83pMujE34bVmLTABcJuAFKePDyTRB4tKB_u8ago0VmCnm0ivlivGY8GQsu2tMajA02ihwmXgoX5zDHcyFpYexoY2OtM9m8J62VNgeHjKgkLjlobyC-fL4fG4DbSg42hnEshA2Mz0GYlA
Accept: application/json
Content-Type: application/json
Cache-Control: no-cache
{
    "query":"{\n  sprouts_detail(user_id: \"3ae1363d-dce3-4961-bede-ccdfa17c6417\") {\n    sprouts_detail {\n      sprout_id\n   }\n  }  \n}","variables":null,"operationName":null 
}

In the header is the cogntio token with user credentials , and the user claims

I can get access to user claims using body templates , like this , but it doesn't seem to work inside model

{
    "sub" : "$context.authorizer.claims.sub"
}

Question :- I wanted to verify if the $context.authorizer.claims.sub is the same as in the graphql query user_id field in the POST body

"query":"{\n  sprouts_detail(user_id: \"3ae1363d-dce3-4961-bede-ccdfa17c6417\")

if its same, let it pass through, if its not the same, deny it and throw 403 forbidden

Not working

{  
   "$schema":"http://json-schema.org/draft-04/schema#",
   "definitions":{  
      "GraphQLAuthorizationModel":{  
         "type":"object",
         "title":"GraphQLAuthorizationModel",
         "properties":{  
            "query":{  
               "oneOf":[  
                  {  
                     "pattern":"$context.authorizer.claims.sub"
                  }
               ],
               "type":"string"
            }
         },
         "required":[  
            "query"
         ]
      }
   }
}

However if i change $context.authorizer.claims.sub with say user_id , it works as expected and check for the user_id string in the http body payload

Oct 10, 2018 in AWS by eatcodesleeprepeat
• 4,670 points
78 views

1 answer to this question.

Your answer

Your name to display (optional):
Privacy: Your email address will only be used for sending these notifications.
0 votes
I think we can use request validators, instead of integration request templates. However i am not sure, if we have access to the context object there basically , we need to come up with a JSON schema, which can validate the userid from cognitor inside the body of the HTTP request , hope it makes sense
answered Oct 10, 2018 by Priyaj
• 56,120 points

Related Questions In AWS

0 votes
1 answer
0 votes
2 answers
+1 vote
3 answers

Not able to pass params POST to AWS Lambda from Amazon API Gateway

For this template : application/x-www-form-urlencoded  This line below will ...READ MORE

answered Jun 13, 2018 in AWS by Cloud gunner
• 4,240 points
1,344 views
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer
+1 vote
2 answers

Starting with an AWS Instance with API and AUTHPARAMS

The API is usually much easier to ...READ MORE

answered Apr 17, 2018 in AWS by Cloud gunner
• 4,240 points
284 views

© 2018 Brain4ce Education Solutions Pvt. Ltd. All rights Reserved.
"PMP®","PMI®", "PMI-ACP®" and "PMBOK®" are registered marks of the Project Management Institute, Inc. MongoDB®, Mongo and the leaf logo are the registered trademarks of MongoDB, Inc.