我正在重写从lambda上运行以在ECS容器上运行的ASP.NET Core应用程序。 Lambda支持开箱即用的Cognito授权者提出的声明,但Kestrel不支持。
API请求通过API网关传入,Cognito用户池授权者正在其中验证OAuth2令牌,并将声明从令牌扩展到httpContext。
最初,该应用在Lambda上运行,入口点继承了Amazon.Lambda.AspNetCoreServer.APIGatewayProxyFunction,提取了这些声明并将其添加到Request.HttpContext.User.Claims。
红est当然不支持,AWS ASPNET Cognito Identity Provider似乎是用来执行授权者正在做的相同事情的。
所以我想到也许可以添加一些自定义代码来提取它。注入到lambda中的HTTP请求看起来像这样,所以我希望当它被代理到ECS时应该是相同的
{
"resource": "/{proxy+}",
"path": "/api/authtest",
"httpMethod": "GET",
"headers": {
<...>
},
"queryStringParameters": null,
"pathParameters": {
"proxy": "api/authtest"
},
"requestContext": {
"resourceId": "8gffya",
"authorizer": {
"cognito:groups": "Admin",
"phone_number_verified": "true",
"cognito:username": "normj",
"aud": "3mushfc8sgm8uoacvif5vhkt49",
"event_id": "75760f58-f984-11e7-8d4a-2389efc50d68",
"token_use": "id",
"auth_time": "1515973296",
"you_are_special": "true"
}
<...>
}
有可能吗,如何将所有从requestContext.authorizer到Request.HttpContext.User.Claims的键/值对相加?
答案 0 :(得分:0)
我为此找到了另一种解决方案。
我没有尝试修改HttpContext,而是将授权者输出映射到API Gateway集成中的请求标头。缺点是每个要求都必须进行硬编码,因为似乎不可能对其进行迭代。
地形示例
resource "aws_api_gateway_integration" "integration" {
rest_api_id = "${var.aws_apigateway-id}"
resource_id = "${aws_api_gateway_resource.proxyresource.id}"
http_method = "${aws_api_gateway_method.method.http_method}"
integration_http_method = "ANY"
type = "HTTP_PROXY"
uri = "http://${aws_lb.nlb.dns_name}/{proxy}"
connection_type = "VPC_LINK"
connection_id = "${aws_api_gateway_vpc_link.is_vpc_link.id}"
request_parameters = {
"integration.request.path.proxy" = "method.request.path.proxy"
"integration.request.header.Authorizer-ResourceId" = "context.authorizer.resourceId"
"integration.request.header.Authorizer-ResourceName" = "context.authorizer.resourceName"
"integration.request.header.Authorizer-Scopes" = "context.authorizer.scopes"
"integration.request.header.Authorizer-TokenType" = "context.authorizer.tokenType"
}
}