I have the following scenario and am trying to understand the right way to implement it.
I have Okta as my IDP. Amazon API gateway for managing my APIs and some lambdas which handle the API requests. Identity Pool is used to provide AWS credentials to the client accessing the APIs.
When the client accesses the API, I need my lambda (which handles the request) to fetch the data from DynamoDB, and filter it based on a few attributes that are specific to the user that has logged in to the client. e.g. I need to retrieve accounts for a customer using the API, but the user only has access to certain accounts and so the lambda should filter the result.
I am thinking of having some custom claims defined for each user in Okta. When the client authenticates with Okta, it receives a JWT token with these claims. And it fetches the AWS credentials from Identity Pool with this token, to access the API. The API would trigger the lambda. Here, I would want to retrieve the claims and use them for filtering the data.
Any thoughts on how this can be achieved? Or is there a better way to address this?
Thank you.
We can use Lambda authorizers for such a scenario. Please refer one of the following documents based on your API type.
(Conceptually both Lambda Authorizers are more or less same.)
What you have to do is:
context of the output of the Lambda Authorizer (as mentioned in here or here)context details are available for your Lambda which does the DB lookup. With that you can do the filtering.