How to retrieve custom JWT claims from within Lambda with Identity Pool?

Question

I have the following scenario and am trying to understand the right way to implement it.

I have Okta as my IDP. Amazon API gateway for managing my APIs and some lambdas which handle the API requests. Identity Pool is used to provide AWS credentials to the client accessing the APIs.

When the client accesses the API, I need my lambda (which handles the request) to fetch the data from DynamoDB, and filter it based on a few attributes that are specific to the user that has logged in to the client. e.g. I need to retrieve accounts for a customer using the API, but the user only has access to certain accounts and so the lambda should filter the result.

I am thinking of having some custom claims defined for each user in Okta. When the client authenticates with Okta, it receives a JWT token with these claims. And it fetches the AWS credentials from Identity Pool with this token, to access the API. The API would trigger the lambda. Here, I would want to retrieve the claims and use them for filtering the data.

Any thoughts on how this can be achieved? Or is there a better way to address this?

Thank you.

Answer 1

We can use Lambda authorizers for such a scenario. Please refer one of the following documents based on your API type.

1. REST APIs
2. HTTP APIs

(Conceptually both Lambda Authorizers are more or less same.)

What you have to do is:

• In the Lambda Authorizer validate the incoming JWT (which is generated by Okta). Then follow below steps only if the token is valid.
• Based on the custom claim(s) (which you configured in the Okta for every user), create a key value pair(s) in the context of the output of the Lambda Authorizer (as mentioned in here or here)
• Then those context details are available for your Lambda which does the DB lookup. With that you can do the filtering.

Answer 2

API gateway routes can be authorized using built in JWT authorizers, which turned out to be the easiest way to access my custom claims from the token. The JWT authorizer, updates the requestContext in the event with JWT claims, which are accessible to the Lambda integrated to the route.

However, the lambda authorizer would provide a lot more flexibility (as suggested by @sampath-dilhan) e.g. if you want to add any additional attributes to the context.

{
    "requestContext" : {
        "accountId": "121212121",
        "appid": "6adqwerk8",
        "authorizer" : {
            "jwt": {
                "claims": {
                    "aud": "api://default",
                    .
                    .
                    .
                    "mycustomclaim": "customvalue"
                },
                "scopes": "xyz"
            }
        }
        .
        .
        .
    }
}