AuthorizationScopes not supported

urluba commented 5 years ago

Context

When using Cognito, API Gateway provides the authorizationScopes property on the API Gateway Method to match against scopes in the access token.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html#cfn-apigateway-method-authorizationscopes

A list of authorization scopes configured on the method. The scopes are used with a COGNITO_USER_POOLS authorizer to authorize the method invocation. The authorization works by matching the method scopes against the scopes parsed from the access token in the incoming request. The method invocation is authorized if any method scopes matches a claimed scope in the access token. Otherwise, the invocation is not authorized. When the method scope is configured, the client must provide an access token instead of an identity token for authorization purposes.

Expected Behavior

Using a COGNITO_USERS_POOLS, we should be able to provide a list of scopes. By example:

{
    "authorizer": {
        "type": "COGNITO_USER_POOLS",
        "provider_arns": [
            "arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}"
        ],
        "authorization_scopes": [
            "scope_1",
            "scope_2",
        ]
    }
}

Actual Behavior

All invocations are not authorized as no matching scopes are found

Possible Fix

Enrich the CFN template with the AutorizationScopes attributes

Steps to Reproduce

N/A

Your Environment

N/A

GoneWacko commented 4 years ago

I ran into this issue today as well. I noticed troposphere already supports this feature, so it was only a matter of making it configurable through the zappa_settings.

aditya-bhawsingka commented 4 years ago

Do we know when the fix for this issue will be merged into master?

ffleandro commented 4 years ago

Why hasn't this been merged?

Miserlou / Zappa