How to use AWS SAM CLI Local HttpAPI with JWT Bearer token Auth offline?

Question

I would like to use AWS SAM JWT HttpApi Auth offline

Based on this AWS example, I decided to create the following YAML file.

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31

Resources:
  HelloWorldFunction:
    Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
    Properties:
      CodeUri: hello-world/
      Handler: app.lambdaHandler
      Runtime: nodejs10.x
      Events:
        ExplicitApi: # warning: creates a public endpoint
          Type: HttpApi
          Properties:
            ApiId: !Ref HttpApi
            Method: GET
            Path: /path
            TimeoutInMillis: 15000
            PayloadFormatVersion: "2.0"
            RouteSettings:
              ThrottlingBurstLimit: 600
  HttpApi:
    Type: AWS::Serverless::HttpApi
    Properties:
      FailOnWarnings: True
      Auth:
        Authorizers:
          MyOauthAuthorizer:
            IdentitySource: $request.header.Authorization
            JwtConfiguration:
              audience:
                - audience
              issuer: issuer-url
        DefaultAuthorizer: MyOauthAuthorizer

Using AWS::Serverless:HttpApi based on docs creates an Amazon API Gateway HTTP API which supports JWT based auth.

I start it with

sam local start-api

However, when I query it with Postman, with or without JWT Bearer token, the request succeeds.
And the AWS query does not contain a single authenticated user object.

Running it with Debug mode does not provide any useful additional information either.

let response;

exports.lambdaHandler = async (event, context) => {
  try {
    // const ret = await axios(url);
    response = {
      statusCode: 200,
      body: JSON.stringify({
        message: "hello world",
        event,
        context,
        // location: ret.data.trim()
      }),
    };
  } catch (err) {
    console.log(err);
    return err;
  }

  return response;
};

My expectation would be that AWS SAM CLI would convert the Bearer token based on the correctly provided Issuer URL into an identity value which I can use in later operations.

Does AWS SAM Local not support this while running locally?

Answer 1

SAM Local unfortunately doesn't support Authorizers. There is a feature request on AWS SAM's GitHub repository to add this feature, see https://github.com/aws/aws-sam-cli/issues/137