Feature request - configurable Principal field

[eranation]

At the moment in a Spring scenario, if you inject the Principal and use Cognito auth, you get the cognito sub (Subject). If you need the username, you must either do a lookup request to Cognito, or fish the ApiGatewayRequestContext and grab it via .getAuthorizer().getClaims().getUsername()

It would be nice if the field that is mapped to the Principal name can be configurable so that one can point it to the username instead of the sub.

[sapessi]

This is possible today by creating a custom SecurityContextWriter and passing it to the library.

We could solve this easily by giving you an easy way to inject the security context writer without having to manually create the full object constructor, perhaps just add it as a parameter to the static getAwsProxyHandler?

[sapessi]

We discussed this offline. We see two option:

1. Create a new HandlerMethodArgumentResolver for Spring and a ContextResolver in Jersey. All you'd have to do then is:

@RequestMapping(path = "/pets", method = RequestMethod.POST)
public Pet createPet(@RequestBody Pet newPet, ApiGatewayAuthorizerContext context) {
...
}

2. Extend the Principal interface with a few methods to access the additional properties of the authorization context from API Gateway:

public Pet createPet(@RequestBody Pet newPet, Principal principal) {
((CognitoUserPoolPrincipal)principal).getClaims();
}

Would love to hear from the community what the preferred option is.

[sapessi]

Since there is no feedback and this is not a high priority fix I'm pulling it out of 0.7. The data is still accessible through the request attributes.

[yyolk]

I'm not a user of Spring or Jersey, so I see a lot of benefit in option 2

[eranation]

I think option 2, as much as I hate casting or doing instanceof, is the most consistent with Spring Security. this also seems to be backward compatible.

[sapessi]

I've implemented these changes. You can now cast the Principal field to CognitoUserPoolPrincipal and call the getClaims() method to extract all of the claims in the token. I have also added support for custom claims in the object. You can get custom claims using the getClaim(String key) method of the CognitoAuthorizerClaims object.

Resolving the issue.