I am wondering what is the optimal way of dealing with authorization in a serverless REST API.
I have several endpoints (some of them pointing to the same function) deployed for a given service and I configure a common custom authorizer using Auth0 for all of them. By strictly following the examples we create a policy inside the authorizer code that is then cached (with a default TTL of 300s), that policy refers to the exact ARN of the called
This poses a problem as any other endpoint (even using the same function w/ different method or param) will be rejected by throwing an
User is not authorized to access this resource error as the ARN specified in the policy won’t match.
This topic on AWS dev forums discusses this matter in depth, and the suggestions are to specify wildcard access for the full API in the policy or disable the cache (expensive!).
Wildcard access seems like not doing authorization at all and just verifying the token, at it would ignore any scope of the API. You can delegate scopes and authorization in the service´s functions as lambda exposes the distilled token in the event (user and claims)… I feel like I am missing something…
I really like the concept of a custom authorizer, by hiding my functions behind an independent token verification the attack surface is significantly reduced…
How is everyone dealing with the authorization flow?