I am trying to incorporate .NET's AuthorizeAttribute in my AWS Serverless Application Model project. In my startup.cs class, which is decorated with [LambdaStartup], in ConfigureServices(), I have the following:
services.AddAuthorization(authorization =>
{
authorization.AddPolicy("HasDocReadPrivilege", policy =>
{
policy.RequireClaim("privileges", Constants.DocsReadPermission);
});
});
And in Configure() I have app.UseAuthorization();
In my Functions.cs I have added the Authorize attribute to the function I wish to enforce authorization on, as follows:
[Logging(LogEvent = true, CorrelationIdPath = CorrelationIdPaths.ApiGatewayRest)]
[Metrics(CaptureColdStart = true)]
[Tracing(CaptureMode = TracingCaptureMode.ResponseAndError)]
[Authorize("HasDocReadPrivilege")]
public async Task<APIGatewayProxyResponse> MyFunction(
APIGatewayProxyRequest request,
ILambdaContext context)
{
//Do something
}
But it doesn't work. Even if I set Constants.DocsReadPermission to a value that is not included in the user's claims (parsed from the authorization header which contains a JWT bearer token), it still allows the user to call the function.
What am I doing wrong? Or is it simply that AWS Lambda functions don't recognize the Authorize attribute?