6

I am looking to share an authorizer between different HTTP API services with Serverless. I have seen different links which explain about splitting different endpoints/services into separate holders with their own serverless.yml files, but I cannot find information on sharing an authorizer between these.

I am using a basic HTTP API example (not a REST API setup) like this:

org: orgexample
app: app-example
service: notes-api

plugins:
  - serverless-bundle

provider:
  name: aws
  runtime: nodejs12.x
  region: eu-west-2
  environment:
    DOMAIN_SUFFIX: notes-api
  httpApi:
    authorizers:
      serviceAuthorizer:
        identitySource: $request.header.Authorization
        issuerUrl:
          Fn::Join:
            - ""
            - - "https://cognito-idp."
              - "${opt:region, self:provider.region}"
              - ".amazonaws.com/"
              - Ref: serviceUserPool
        audience:
          - Ref: serviceUserPoolClient
functions:
  getProfileInfo:
    handler: main.get
    events:
      - httpApi:
          method: GET
          path: /user/profile
          authorizer: serviceAuthorizer
  createProfileInfo:
    handler: main.post
    events:
      - httpApi:
          method: POST
          path: /user/profile
          authorizer: serviceAuthorizer

resources:
  Resources:
    HttpApi:
      DependsOn: serviceUserPool
    serviceUserPool:
      Type: AWS::Cognito::UserPool
      Properties:
        UserPoolName: ${self:service}-user-pool-${opt:stage, self:provider.stage}
        UsernameAttributes:
          - email
        AutoVerifiedAttributes:
          - email
    serviceUserPoolClient:
      Type: AWS::Cognito::UserPoolClient
      Properties:
        ClientName: ${self:service}-user-pool-client-${opt:stage, self:provider.stage}
        AllowedOAuthFlows:
          - implicit
        AllowedOAuthFlowsUserPoolClient: true
        AllowedOAuthScopes:
          - phone
          - email
          - openid
          - profile
          - aws.cognito.signin.user.admin
        UserPoolId:
          Ref: serviceUserPool
        CallbackURLs:
          - https://localhost:3000
        ExplicitAuthFlows:
          - ALLOW_USER_SRP_AUTH
          - ALLOW_REFRESH_TOKEN_AUTH
        GenerateSecret: false
        SupportedIdentityProviders:
          - COGNITO
    serviceUserPoolDomain:
      Type: AWS::Cognito::UserPoolDomain
      Properties:
        UserPoolId:
          Ref: serviceUserPool
        Domain: ${self:service}-user-pool-domain-${opt:stage, self:provider.stage}-${self:provider.environment.DOMAIN_SUFFIX}

This will create the HTTP API, API Gateway and wrap it in a Cognito authorizer. I would like to set up a second service that uses the same authorizer.

I have seen similar questions, but none relating to HTTP APIs and sharing a Cognito Authorizer. Useful links:
https://seed.run/blog/how-to-structure-a-real-world-monorepo-serverless-app.html.
https://github.com/seed-run/serverless-template-monorepo.

StuartM
  • 6,743
  • 18
  • 84
  • 160
  • This is an interesting question. As far as I know you can't share authorizers between different APIs, mainly because they are associated with the API. The only way you could probably do that is with a custom authorizer, where the shared part would be on a lambda and that way you would share the lambda. But I guess this not the answer you're looking for :/ – dege Apr 01 '20 at 17:50
  • Hmm well I kinda of need to just setup a single API gateway. With shared domain and authorizer. Then hook the services into that. The way the docs on serverless stack are created follows this path. Just for a rest api instead of http api – StuartM Apr 01 '20 at 17:53
  • @StuartM Did you find a way to do this? – Dave Clarke Apr 30 '20 at 18:52
  • I did not. Feel free to report back if you figure it out – StuartM May 01 '20 at 19:04

1 Answers1

0

Try this

httpApi:
    id: xxxx # Required

functions:
  createUser:
     ...
    events:
      - httpApi:
          path: /users
          ...
          authorizer:
            # Provide authorizerId
            id:
              Ref: ApiGatewayAuthorizer  # or hard-code Authorizer ID
            scopes: # Optional - List of Oauth2 scopes
              - myapp/myscope
Ram
  • 363
  • 2
  • 10