Lambda Custom Authorizer

We have a serverless application on AWS that consists of an API Gateway that triggers Lambda do execute a specific code for our application. This application is multi tenant so this API will receive request from multiple clients. Currently the clients authenticate using cognito. We need a Lambda Custom Authorizer to validade the incoming request to make sure that user is allowed to make that specific request. Imagine the following scenario... We have 3 users John, Mark and Petter. All 3 of them login the application trough cognito and receive a JWT Token. Our front end will decrypt the token to see what’s the Tenant ID for those clientes. Currently we have 2 values to form a tenant. We have the CampusID which is our lowest level of tenant isolation and then OrganizationID that basically is 1 or more CampusID. So following along with our example we would have something like this: John CampusID : A OrganizationID: 1 Mark CampusID: B OrganizationID: 1 Petter CampusID: A, B Organization ID: 1 So all users belong to the same organization by only Petter is allowed to get results from either organization. Let’s say John needs to make a call to our API to list all orders from our e-commerce. In this case the frontend would call that specific API and would pass using querystring John’s OrganizationID and CampusID. On the header of that request the frontend would also provide the JWT Token given by Cognito during the login. Our API Gateway would then call our Lambda Custom Authorizer, and here is where the job begins. Basically the Custom Authorizer needs to decrypt the JWT Token and compare the OrganizationID and CampusID that are on the token versus the OrganizationID and CampusID that were sent trough the querystring. Following along our example, if John’s request has the same OrganizationID and CampusID on booth the JWT Token and the querystring then our Lambda Custom Authorizer would return a 200 code. Now if for some reason John manipulates the request and sends a querystring with CampusID = 2, the Lambda Custom Authorizer would return an 403 error since the querystring CampusID doesn’t match the CampusID from the JWT token. The same thing goes for the OrganizationID. One thing that is important to notice here is Petter’s case. He is allowed to call either CampusID “A” or CampusID “B” as long as the OrganizationID, in his case “1” also matches the one provided on the querystring and JWT Token. ATTENTION: The Custom Authorizer needs to be write on Python 3.6 or higher.