Amazon HTTP API Gateway JWT Authorization with scopes vs permissions

Help
1

Hello,

I am trying to secure an Amazon HTTP Gateway using Auth0 and correct me if I’m wrong but the current implementation of the permission claim in Auth0 to users through any API is not supported.

AWS’ documentation indicates that it will validate the following claims:

  • kid – The token must have a header claim that matches the key in the jwks_uri that signed the token.
  • iss – Must match the issuer that is configured for the authorizer.
  • aud – Must match one of the audience entries that is configured for the authorizer.
  • exp – Must be after the current time in UTC.
  • nbf – Must be before the current time in UTC.
  • scope or scp – The token must include at least one of the scopes in the route’s authorizationScopes .

It doesn’t say anything about a permissions claim. When I create a new scope for an API and assign it to a user, it comes in the JWT inside a permissions claim. Does this mean this is not compatible with AWS API Gateway for integration off the bat?

1 Like