本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
x-amazon-apigateway-authorizer 物件
定義要套用於閘道中方法叫用授權的 Lambda JWT 授權者、Amazon Cognito 使用者集區或授權者。API此延伸套用至「開啟 API 2」和「開啟 API
屬性名稱 | 類型 | 描述 |
---|---|---|
type |
string |
授權方的類型。這是必要屬性。 對於 RESTAPIs, 針對 HTTPAPIs,指定 |
authorizerUri |
string |
授權者 Lambda 函數的統一資源識別碼 (URI)。語法如下:
|
authorizerCredentials |
string |
以IAM執行角色的形式呼叫授權者 (如果有的話) 所需ARN的認證。例如,「ARN: AW: IAM:: |
authorizerPayloadFormatVersion |
string |
針對 HTTPAPIs,指定API閘道傳送給 Lambda 授權者的資料格式,以及API閘道如何解譯 Lambda 的回應。如需進一步了解,請參閱 裝載格式版本。 |
enableSimpleResponses |
Boolean |
對於 HTTPAPIs,指定 |
identitySource |
string |
做為身分來源之請求參數的對應表達式逗號分隔清單。僅適用於 |
jwtConfiguration |
Object |
指定授權者的發行JWT者和對象。若要深入瞭解,請參閱API閘道版本 2 API 參考資料JWTConfiguration中的。僅支援 HTTPAPIs. |
identityValidationExpression |
string |
驗證做為傳入身分之字符的一般表達式。例如,"^x-[a-z]+"。僅支援的 |
authorizerResultTtlInSeconds |
string |
快取授權方結果的秒數。 |
providerARNs |
string 陣列 |
的亞馬遜認可使用者集區ARNs清單。 |
x-amazon-apigateway-authorizer 範例 REST APIs
下列 Open API 安全性定義範例會指定「權杖」類型並命名為test-authorizer
的 Lambda 授權者。
"securityDefinitions" : { "test-authorizer" : { "type" : "apiKey", // Required and the value must be "apiKey" for an API Gateway API. "name" : "Authorization", // The name of the header containing the authorization token. "in" : "header", // Required and the value must be "header" for an API Gateway API. "x-amazon-apigateway-authtype" : "custom", // Specifies the authorization mechanism for the client. "x-amazon-apigateway-authorizer" : { // An API Gateway Lambda authorizer definition "type" : "token", // Required property and the value must "token" "authorizerUri" : "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:
account-id
:function:function-name
/invocations", "authorizerCredentials" : "arn:aws:iam::account-id
:role", "identityValidationExpression" : "^x-[a-z]+", "authorizerResultTtlInSeconds" : 60 } } }
下列開啟API作業物件程式碼片段會設定GET /http
為使用先前的 Lambda 授權程式。
"/http" : { "get" : { "responses" : { }, "security" : [ { "test-authorizer" : [ ] } ], "x-amazon-apigateway-integration" : { "type" : "http", "responses" : { "default" : { "statusCode" : "200" } }, "httpMethod" : "GET", "uri" : "http://api.example.com" } } }
下列 Open API 安全性定義範例會指定「請求」類型的 Lambda 授權者,並以單一標頭參數 (auth
) 做為身分識別來源。securityDefinitions
名為 request_authorizer_single_header
。
"securityDefinitions": { "request_authorizer_single_header" : { "type" : "apiKey", "name" : "auth", // The name of a single header or query parameter as the identity source. "in" : "header", // The location of the single identity source request parameter. The valid value is "header" or "query" "x-amazon-apigateway-authtype" : "custom", "x-amazon-apigateway-authorizer" : { "type" : "request", "identitySource" : "method.request.header.auth", // Request parameter mapping expression of the identity source. In this example, it is the 'auth' header. "authorizerCredentials" : "arn:aws:iam::123456789012:role/AWSepIntegTest-CS-LambdaRole", "authorizerUri" : "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:APIGateway-Request-Authorizer:vtwo/invocations", "authorizerResultTtlInSeconds" : 300 } } }
下列 Open API 安全性定義範例會指定「請求」類型的 Lambda 授權者,其中一個標頭 (HeaderAuth1
) 和一個查詢字串參數QueryString1
做為身分識別來源。
"securityDefinitions": { "request_authorizer_header_query" : { "type" : "apiKey", "name" : "Unused", // Must be "Unused" for multiple identity sources or non header or query type of request parameters. "in" : "header", // Must be "header" for multiple identity sources or non header or query type of request parameters. "x-amazon-apigateway-authtype" : "custom", "x-amazon-apigateway-authorizer" : { "type" : "request", "identitySource" : "method.request.header.HeaderAuth1, method.request.querystring.QueryString1", // Request parameter mapping expressions of the identity sources. "authorizerCredentials" : "arn:aws:iam::123456789012:role/AWSepIntegTest-CS-LambdaRole", "authorizerUri" : "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:APIGateway-Request-Authorizer:vtwo/invocations", "authorizerResultTtlInSeconds" : 300 } } }
下列 Open API 安全性定義範例會指定「請求」類型的API閘道 Lambda 授權者,並以單一階段變數 (stage
) 做為身分識別來源。
"securityDefinitions": { "request_authorizer_single_stagevar" : { "type" : "apiKey", "name" : "Unused", // Must be "Unused", for multiple identity sources or non header or query type of request parameters. "in" : "header", // Must be "header", for multiple identity sources or non header or query type of request parameters. "x-amazon-apigateway-authtype" : "custom", "x-amazon-apigateway-authorizer" : { "type" : "request", "identitySource" : "stageVariables.stage", // Request parameter mapping expression of the identity source. In this example, it is the
stage
variable. "authorizerCredentials" : "arn:aws:iam::123456789012:role/AWSepIntegTest-CS-LambdaRole", "authorizerUri" : "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:APIGateway-Request-Authorizer:vtwo/invocations", "authorizerResultTtlInSeconds" : 300 } } }
下列開放API安全定義範例會將 Amazon Cognito 使用者集區指定為授權者。
"securityDefinitions": { "cognito-pool": { "type": "apiKey", "name": "Authorization", "in": "header", "x-amazon-apigateway-authtype": "cognito_user_pools", "x-amazon-apigateway-authorizer": { "type": "cognito_user_pools", "providerARNs": [ "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_ABC123" ] } }
下列開啟API作業物件程式碼片段會設定GET /http
為使用先前的 Amazon Cognito 使用者集區做為授權者,且沒有自訂範圍。
"/http" : { "get" : { "responses" : { }, "security" : [ { "cognito-pool" : [ ] } ], "x-amazon-apigateway-integration" : { "type" : "http", "responses" : { "default" : { "statusCode" : "200" } }, "httpMethod" : "GET", "uri" : "http://api.example.com" } } }
x-amazon-apigateway-authorizer 範例 HTTP APIs
下列 Open API 3.0 範例會建立使用 Amazon Cognito 做為身分JWT識別提供者的授權者,並將Authorization
標頭做為身分識別來源。HTTP API
"securitySchemes": { "jwt-authorizer-oauth": { "type": "oauth2", "x-amazon-apigateway-authorizer": { "type": "jwt", "jwtConfiguration": { "issuer": "https://cognito-idp.region.amazonaws.com/userPoolId", "audience": [ "audience1", "audience2" ] }, "identitySource": "$request.header.Authorization" } } }
下列 Open API 3.0 範例會產生與前一個範例相同的JWT授權者。但是,此範例會使用 Open API openIdConnectUrl
屬性來自動偵測發行者。openIdConnectUrl
必須具備完整格式。
"securitySchemes": { "jwt-authorizer-autofind": { "type": "openIdConnect", "openIdConnectUrl": "https://cognito-idp.region.amazonaws.com/userPoolId/.well-known/openid-configuration", "x-amazon-apigateway-authorizer": { "type": "jwt", "jwtConfiguration": { "audience": [ "audience1", "audience2" ] }, "identitySource": "$request.header.Authorization" } } }
下列範 Lambda 會針對 HTTPAPI. 此範例授權方使用 Authorization
標頭作為其身分來源。授權方會使用 2.0
承載格式版本,並傳回布林值,因為系統將 enableSimpleResponses
設定為 true
。
"securitySchemes" : { "lambda-authorizer" : { "type" : "apiKey", "name" : "Authorization", "in" : "header", "x-amazon-apigateway-authorizer" : { "type" : "request", "identitySource" : "$request.header.Authorization", "authorizerUri" : "arn:aws:apigateway:
us-west-2
:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:123456789012:function:function-name
/invocations", "authorizerPayloadFormatVersion" : "2.0", "authorizerResultTtlInSeconds" : 300, "enableSimpleResponses" : true } } }