Auth0 Home Blog Docs

How to create a custom authorizer that serves a public+private endpoint?



I want to use auth0 for a graphQL application (using the serverless framework). Since 1 endpoint serves both authorized and unauthorized content, I need a custom authorizer that will allow requests without a JWT, but will throw an error if the token is bad, expired, or not a token (so I can trigger a refresh on the client side). Does anyone know of any projects that have an authorizer like this working?

I took the approach that having a single purpose lambda authorizer won’t work because I don’t want it to actually deny access to my lambda endpoint if a jwt isn’t present. I instead took the strategy of adding this authorize function to the context so it will either return the decoded user or an empty object. Unfortunately. this doesn’t work in the case of tokens that need refreshing though so I was curious if this is a solved problem and what the best approach is.

Here is the gist.


Hey @stephen.jensen.ihi !

As it has been more than a few months since this topic was opened and there has been no reply or further information provided from the community as to the existence of the issue we would like to check if you are still facing the described challenge?

We are more than happy to assist in any way! If the issue is still out there please let us know so we can create a new thread for better visibility, otherwise we’ll close this one in week’s time.

Thank you!


This topic was automatically closed after 5 days. New replies are no longer allowed.