serverless-java-container icon indicating copy to clipboard operation
serverless-java-container copied to clipboard
verified publisher icon aws

Unable to invoke lambda when "Authorization scopes" added to JWT Authorizer

Open rockey5520 opened this issue 4 years ago • 2 comments

Serverless Java Container version: eg. 1.5.2

Implementations: Spring Boot 2

Framework version: eg SpringBoot 2.4.1

Frontend service: HTTP API

Deployment method: SAM

Scenario

Describe what you are trying to accomplish I am trying to call invoke lambda via HTTP api with JWT authorizer. call to lambda are failing when i add "Authorization scopes" in the JWT authorizer(on HTTP api)

Expected behavior

I would expect lambda should be able to be invoke with or without Authorization scopes in JWT authorizer

Actual behavior

I am trying to call invoke lambda via HTTP api with JWT authorizer. call to lambda are failing when i add "Authorization scopes" in the JWT authorizer(on HTTP api) with error message

com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize instance of `java.lang.String` out of START_ARRAY token at [Source: (ByteArrayInputStream); line: 1, column: 3530] (through reference chain: com.amazonaws.serverless.proxy.model.AwsProxyRequest["requestContext"]->com.amazonaws.serverless.proxy.model.AwsProxyRequestContext["authorizer"]->com.amazonaws.serverless.proxy.model.ApiGatewayAuthorizerContext["scopes"])

but without "Authorization scopes" in the JWT authorizer(on HTTP api) calls were going fine as long JWT is valid

Steps to reproduce

Create a springboot 2 based AWS lambda with HTTP api and Authorization scope with scopes specified in it.

InputStream of call when Authorization scope is added contains a section with Scopes array but same is null when Authorization scope is not defined in JWT Authorizer in HTTP API

        "scopes": [
            "b",
            "a",
            "z",
            "y",
            "x"
        ]

InputStream of call when Authorization scope is not added

"scopes": null

Full log output

Paste the full log output from the Lambda function's CloudWatch logs

logs

rockey5520 avatar Apr 26 '21 07:04 rockey5520

Hi @rockey5520, sorry for the late response. Would you be willing to contribute a PR to address this issue? The source is located here: https://github.com/awslabs/aws-serverless-java-container/blob/master/aws-serverless-java-container-core/src/main/java/com/amazonaws/serverless/proxy/model/ApiGatewayAuthorizerContext.java

deki avatar Sep 01 '21 19:09 deki

Hi @rockey5520, we plan to release a 1.7 version soon and I'd like to include a fix for that. However looking at https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-lambda.html scopes are part of jwt and we have the corresponding property in: https://github.com/awslabs/aws-serverless-java-container/blob/45169fb4f8e6329f658e060acd5246c95dd1c5ff/aws-serverless-java-container-core/src/main/java/com/amazonaws/serverless/proxy/model/HttpApiV2JwtAuthorizer.java#L20 So I wonder how to reproduce your issue. Are you using 2.0 payload?

deki avatar Jan 03 '22 08:01 deki