Is the Authorization header passed to lambda function by Cognito Authorizer?

Question

I'm planning to add some authorisation logic to my web app. Users are managed & authenticated by Cognito, and the API is powered by Lambda functions glued together with API Gateway. Currently, Cognito just validates the user's OAuth token and allows/denies the request. I'd like to further restrict what actions the user can take within my lambda functions by looking at the user's groups.

Looking at the OAuth token, claims about the groups are in the token body. My question is, does the Cognito Authorizer pass the value of the Authorization: Bearer foo header through to API Gateway and the Lambda handler? The way I can do something like this

const groups = getGroupsFromToken(event.headers.Authorization);
if (groups.includes('some group')) {
  // let user do the thing
}
else {
  callback({ statusCode: 401, body: 'You can\'t do the thing' });
}

Answer 1

It definitely sends through the token on a header for me, also it sends through requestContext.authorizer.jwt.claims which may be more useful to you.

The older api gateways I have always uppercase the header to "Authorization", irrespective of what case the actual header uses. The newer ones always lowercase it to "authorization".

I'd suggest trying:

const groups = getGroupsFromToken(event.headers.Authorization || event.headers.authorization);

I am using lambda proxy integration (what the new APIGW UI is calling lambda integration 2.0), from your callback it looks like you are using it too. If you are using the old lambda integration (1.0 in the new UI) then you need a mapping template.