search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.63k stars 3.91k forks source link

api-gateway: access custom cognito claim in parameterMapping of HttpAlbIntegration #22010

Open rmpt opened 2 years ago

rmpt commented 2 years ago

Describe the bug

When declaring a HttpAlbIntegration with parameterMapping for a regular cognito claim, say email or sub, everything works fine. But when defining a parameterMapping for a custom attribute, where the sintaxt implies using the prefix custom:, it complains about being an invalid expression.

I've tried according the RestApi documentation (https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html) but no luck: "$context.authorizer.claims['custom:my_attr']"

Expected Behavior

The custom attribute should be accessible like any other.

Current Behavior

cdk returns a BadRequest:

Invalid mapping expression specified: Validation Result: warnings : [], errors : 
[Invalid mapping expression specified: $context.authorizer.claims.custom:my_attr] 
(Service: AmazonApiGatewayV2; Status Code: 400; Error Code: BadRequestException; Request ID: d9f58770-dc40-4268-9515-ef4cc354e4d3; Proxy: null)

Reproduction Steps

Create a HttpAlbIntegration for the api gateway:

const integration = new HttpAlbIntegration('http-alb-integration', albListener, {
  method: HttpMethod.ANY,
  vpcLink: vpcLinkStack.vpcLink,
  parameterMapping: new ParameterMapping()
     .appendHeader('x-my-attr', MappingValue.contextVariable('authorizer.claims.custom:my_attr'))
});

cdk will complain about the authorizer.claims.custom:my_attr because of the :.

Possible Solution

Some alternative sintax for these cases, for instance: authorizer.claims.[custom:my_attr] so custom:my_attr would be treated as a block.

Additional Information/Context

No response

CDK CLI Version

2.41.0 (build 6ad48a3)

Framework Version

No response

Node.js Version

v16.14.2

OS

macOS Monterey 12.5.1

Language

Typescript

Language Version

3.9.7

Other information

No response

masonchenkb commented 1 year ago

Any updates on this one? I have the same issue when adding custom cognito attributes in parameter mapping for API GW integration via UI portal

yonihod commented 1 year ago

Also have this problem with both the UI portal and openapi integration

piotrekwitkowski commented 1 year ago

For visibility, the same error in the AWS Console. My full error message is:

Invalid mapping expression specified: Validation Result: warnings : [], errors : [Invalid mapping expression specified: $context.authorizer.jwt.claims.cognito:username]

Screenshot 2023-08-18 at 16 02 09

petr-pokorny-1 commented 1 year ago

For ID token, I was able to solve this issue with the help of pre-token-generation lambda trigger where I added additional claim without that stupid custom: prefix.

export const handler: PreTokenGenerationTriggerHandler = async (event) => {
    const tenantId = event.request.userAttributes['custom:tenantid'];
    event.response = {
        claimsOverrideDetails: {
            claimsToAddOrOverride: {
                tenantid: tenantId
            }
        },
    };
    return event;
};

and then

const parameterMapping = new ParameterMapping();
parameterMapping.appendHeader('tenantid', MappingValue.contextVariable("authorizer.claims.tenantid"));
piotrekwitkowski commented 10 months ago

Thanks for the workaround. It seems like for now, only two special characters are supported: . (dot) and _ (underscore). Hopefully the service team implements support for : (colons) soon.

BwL1289 commented 6 months ago

also interested