Auth0 Home Blog Docs

How to create a custom authorizer that serves a public+private endpoint?

jwt
api
custom-authorizer

#1

I want to use auth0 for a graphQL application (using the serverless framework). Since 1 endpoint serves both authorized and unauthorized content, I need a custom authorizer that will allow requests without a JWT, but will throw an error if the token is bad, expired, or not a token (so I can trigger a refresh on the client side). Does anyone know of any projects that have an authorizer like this working?

I took the approach that having a single purpose lambda authorizer won’t work because I don’t want it to actually deny access to my lambda endpoint if a jwt isn’t present. I instead took the strategy of adding this authorize function to the context so it will either return the decoded user or an empty object. Unfortunately. this doesn’t work in the case of tokens that need refreshing though so I was curious if this is a solved problem and what the best approach is.

Here is the gist.