AWS Custom Authorizers

I’m working my way through the custom authorizer examples: Secure AWS API Gateway Endpoints Using Custom Authorizers to evaluate them for the following use case:

I have a PHP web app using the Auth0 PHP SDK with the Universal Login widget. This is authenticating users and returning an Access Token and an ID Token.

I want call my AWS API gateway functions using a Lambda Custom Authorizer from the within the browser.

My first question is; is it a good idea to expose the JWT ID Token returned by the PHP API in the browser in order to pass it to the AWS API Gateway?

I’ve logged into my PHP web app and copied the JWT token (which I assume is the ID token) to the AWS Lambda test environment.

I’ve setup the envars and tried to test the authorizer, but I keep getting the following error:

name: ‘JsonWebTokenError’,
message:
'jwt audience invalid. expected: }

The JWT is from a ‘real’ login so I would expect this to work - what am I doing wrong?