Posted On: Dec 1, 2016

Custom authorizers on Amazon API Gateway can now return additional fields in their authorization response.

Developers use custom authorizers to authorize API requests to their backend using bearer token strategies such as OAuth. Previously, custom authorizers could only respond with policy statements, but couldn’t pass additional useful information (such as information within the bearer token) to the backend. This meant additional backend calls to retrieve this information. With this launch, a custom authorizer can send additional information derived from the bearer token or request context values to your backend service. For example, the authorizer can return a map containing user-ids, user-names, and scope. With this change, your backend does not require the capability to map authorization tokens to user-centric data, allowing you to limit the exposure of such information to just the authorization function. 

For more information, see Use Amazon API Gateway Custom Authorizers