A python helper library for AWS API Gateway Custom Authorizers.
pip install aws-lambda-pyauthlib
or
pipenv install aws-lambda-pyauthlib
'''authorizer_handler.py'''
from pyauthlib import UserInfo, AuthPolicy, HttpMethod, parse_event, raise_401
from my_auth_client import get_client
def lambda_handler(event, _context):
'''Exchanges access token for user_info and returns the policy.
Unauthorized users are denied all access.
Users are allowed read access to all resources.
Admins are allowed full access to all resources.
'''
event = parse_event(event)
identity = get_client().get_identity(event.access_token)
user_info = UserInfo(identity['user_id'], identity['grants'])
policy = AuthPolicy(user_info)
if not user_info:
raise_401()
elif 'ROLE_ADMIN' in user_info.authorities:
policy.allow(event.arn(method=HttpMethod.ALL, resource='*'))
else:
policy.allow(event.arn(method=HttpMethod.GET, resource='*'))
return policy.build()
You can also return an arbitrary authorizer context, by passing kwargs into the UserInfo. A list of authorities is always required, but nothing is stopping you from using an empty list.
Go check out the examples!