Fork me on GitHub
Ben Hammond09:09:38

oh I only iust realised that it should be possible to get an AWS JWT authorizer to read cookes (rather than just an HTTP Header) I mean Cookies IS an http header, so it becomes more about how to extract the JWT substring

Ben Hammond09:09:59

the syntax of the identity Source is not obvious; if I guessed at something like

is that likely, do you think?

Ben Hammond09:09:20

maybe I have to linearly search the cookies

Ben Hammond09:09:45

meh > For `JWT`, a single entry that specifies where to extract the JSON Web Token (JWT) from inbound requests. Currently only header-based and query parameter-based selections are supported, for example `$request.header.Authorization`.

Ben Hammond09:09:08

so I have a server generated /logged-in that has an ID token JWT I have a clent react app that will need to make API calls presenting the JWT in a header or query the /logged-in makes an HTTP/302 to redirect to the client url I would rather not use query params if I can avoid it but how can I get the idtoken to the react app? Seems like cookie is my best option? maybe I can put it in an HTTP response header

Ben Hammond10:09:17

seems like 1. server drops a session cookie, redirects to react app /loggedin route 2. react /loggedin makes a fetchApi request to server /credentials endpoint 3. server responds with JWT string and other client-useful info in a JSON map body; it also deletes the session cookie 4. client stashes the JWT string in its (volatile) global state and presents in HTTP header going forwards seems a bit round the houses though; is there really no way to shortcut this?

Ben Hammond10:09:11

I guess there might be better security in taking each step one at a time..?