Skip to content

fix(apis): use rule name in OIDC resource identifier to fix JWT authorizer attachment#153

Open
tsushanth wants to merge 1 commit into
nitrictech:mainfrom
tsushanth:fix/oidc-security-scheme-name-mismatch
Open

fix(apis): use rule name in OIDC resource identifier to fix JWT authorizer attachment#153
tsushanth wants to merge 1 commit into
nitrictech:mainfrom
tsushanth:fix/oidc-security-scheme-name-mismatch

Conversation

@tsushanth

Copy link
Copy Markdown

Bug

When using oidc_rule with ApiOptions(security=[...]), the JWT authorizer is created in API Gateway but never attached to any route. Routes show "Authorization: NONE" despite the authorizer being visible in the Authorizers tab.

Root cause

_oidc_to_resource uses b.name as the ResourceIdentifier.name. b.name is the composite key f"{options.name}-{api_name}" (e.g. "cognito-auth-rule-auth") — used internally by _create_resource for deduplication when the same OIDC rule is applied to multiple APIs.

However, route security definitions reference the original options.name (e.g. "cognito-auth-rule"). The generated OpenAPI spec has a mismatch:

"securitySchemes": {
  "cognito-auth-rule-auth": { ... }   ← declared with composite name
},
"/logout": {
  "post": {
    "security": [{ "cognito-auth-rule": [] }]   ← references original name
  }
}

API Gateway receives an unresolvable security reference and silently ignores the authorizer.

Fix

OidcSecurityDefinition already stores self.rule_name = options.name for exactly this purpose. Change _oidc_to_resource to use b.rule_name instead of b.name:

 def _oidc_to_resource(b: OidcSecurityDefinition) -> ResourceIdentifier:
-    return ResourceIdentifier(name=b.name, type=ResourceType.ApiSecurityDefinition)
+    return ResourceIdentifier(name=b.rule_name, type=ResourceType.ApiSecurityDefinition)

The composite key in b.name is preserved for internal deduplication in _create_resource; only the identifier sent to the runtime changes to match what routes reference.

Fixes nitrictech/nitric#919

…dentifier

_oidc_to_resource was using b.name (the composite "{rule_name}-{api_name}"
key used internally by _create_resource for deduplication) as the
ResourceIdentifier.name. The security scheme is declared under this
composite name, but route security definitions reference the original
options.name ("cognito-auth-rule"), so API Gateway receives an OpenAPI
spec with a security reference that doesn't match any scheme in
securitySchemes and silently ignores the JWT authorizer.

b.rule_name (= options.name) is already stored on OidcSecurityDefinition
for this purpose; use it in the ResourceIdentifier so the declared scheme
name matches what routes reference.

Fixes nitrictech/nitric#919
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug] AWS: OIDC security scheme name has wrong suffix in generated OpenAPI spec, causing JWT authorizer not to be attached to routes

1 participant