Amazon web services 网关V2 API的AWS websocket$connect路径的返回对象要求是什么
我正在使用terraform创建一个带有AWS网关V2资源的websocket,例如AWS\u apigatewayv2\u路由和AWS\u apigatewayv2\u授权人 当我的授权人lambda运行时,它通过headers.Auth从传入的Amazon web services 网关V2 API的AWS websocket$connect路径的返回对象要求是什么,amazon-web-services,websocket,aws-api-gateway,terraform-provider-aws,lambda-authorizer,Amazon Web Services,Websocket,Aws Api Gateway,Terraform Provider Aws,Lambda Authorizer,我正在使用terraform创建一个带有AWS网关V2资源的websocket,例如AWS\u apigatewayv2\u路由和AWS\u apigatewayv2\u授权人 当我的授权人lambda运行时,它通过headers.Auth从传入的“type”:“REQUEST”事件中获取令牌,该事件类似于“Bearer eyJmaWOiQiI3Y…JTMjU2In0.eyjxpwioi…”(一个很长的字符串)。代币是“持票人”之后的部分 代码处理令牌以获取“kid”等等,并将其与从cognit
“type”:“REQUEST”
事件中获取令牌,该事件类似于“Bearer eyJmaWOiQiI3Y…JTMjU2In0.eyjxpwioi…”(一个很长的字符串)。代币是“持票人”之后的部分
代码处理令牌以获取“kid”等等,并将其与从cognito jwks.json文件检索到的密钥进行匹配(这是我从AWS网站某处获得的示例代码)
代码流通过“签名成功验证”点——到目前为止非常棒
问题是:授权人lambda应该返回什么
成功验证签名的示例代码指示应返回索赔对象。看起来是这样的:
claims:
{
"sub": "2jjtzzzyyyxxx888g2pppp8sqqqqjagn",
"token_use": "access",
"scope": "transactions/post",
"auth_time": 1596108906,
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_tZfQltfya",
"exp": 1596112506,
"iat": 1596108906,
"version": 2,
"jti": "f55a0c1d-b9ac-3b2f-b8da-0ee93335c828",
"client_id": "2ku7unsnkde8g1i9n8s2usjbgo"
}
authResponse:
{
"principalId": "xxxyyyzzz", // <--- I have tried various things here.
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": [
"arn:aws:execute-api:us-east-1:11122223334444:n10gr0cw7m/test-stage/POST/*"
]
}
]
}
}
其他示例代码指示应返回AuthResponse,如下所示:
claims:
{
"sub": "2jjtzzzyyyxxx888g2pppp8sqqqqjagn",
"token_use": "access",
"scope": "transactions/post",
"auth_time": 1596108906,
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_tZfQltfya",
"exp": 1596112506,
"iat": 1596108906,
"version": 2,
"jti": "f55a0c1d-b9ac-3b2f-b8da-0ee93335c828",
"client_id": "2ku7unsnkde8g1i9n8s2usjbgo"
}
authResponse:
{
"principalId": "xxxyyyzzz", // <--- I have tried various things here.
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": [
"arn:aws:execute-api:us-east-1:11122223334444:n10gr0cw7m/test-stage/POST/*"
]
}
]
}
}
authResponse:
{
“principalId”:“xxxyyzzz”,//网关APIV2授权人lambda应返回策略响应,但有一些修复
下面是一个带有注释的工作示例(同样,为了安全起见更改了一些值):
{
//Cognito应用程序集成部分的“应用程序客户端ID”
“Princalid”:“7P9F415HNXXBFBCH17JNAENCC”,
“政策文件”:{
“版本”:“2012-10-17”,
“声明”:[
{
“行动”:[//