All my users need to be registered and I don’t allow unauthenticated user; therefore, I can’t escape the cost for using user pool.
The API Gateway custom authorizer such looks like a cleaner way to do my app authorization check. But doing a quick cost calculation, it’s still more expensive than if I can do it in my Lambda function or even use Step Function. Again, out of topic, sorry, but I’m thinking a couple of ways to do it without API Gateway:
Do a Pre-Token Generation trigger in Cognito to check and add in addition claims pertaining to the user’s authorization against my custom rules (stored in dynamodb). My lambda function will then look at the claims and decide if the user can execute or not in the app logic
My Lambda function will check the user’s authorization against my custom rules and decide if the user can execute or not in the app logic.
Have you considered these 2 methods back then? Nonetheless, I’m stuck at both methods. I could hardly find any sample in writing Pre-Token Generation lambda in .net/java. And in the Lambda context, it only has the user’s CognitoID, and with the CognitoID, I can’t link it to the user in my UserPool. You know of a way?
I’m thinking of passing the jwt token as an parameter into my function, but not sure how secure it is. With API Gateway, I could use HTTPS to have it encrypted on the network layer. But with lambda direct invoke, can it be spoofed easily?