Feature request: support API Gateway JWT authorizer when running SAM locally

[jbbipsync]

Describe your idea/feature/enhancement

It appears that the built-in JWT authorizer in API Gateway is not supported when using sam local start-api.

I have tried running the OAuth 2.0/JWT authorizer example locally and get the following output:

me@mbp backend % sam local start-api --debug
2024-01-12 13:44:20,566 | Config file location: /Users/me/Documents/test-sam/backend/samconfig.toml                  
2024-01-12 13:44:20,568 | Loading configuration values from [default.['local', 'start-api'].parameters] (env.command_name.section) in   
config file at '/Users/me/Documents/test-sam/backend/samconfig.toml'...                                              
2024-01-12 13:44:20,568 | Configuration values successfully loaded.                                                                     
2024-01-12 13:44:20,569 | Configuration values are: {}                                                                                  
2024-01-12 13:44:20,576 | Using SAM Template at /Users/me/Documents/test-sam/backend/template.yaml                   
2024-01-12 13:44:20,595 | Using config file: samconfig.toml, config environment: default                                                
2024-01-12 13:44:20,596 | Expand command line arguments to:                                                                             
2024-01-12 13:44:20,596 | --template_file=/Users/me/Documents/test-sam/backend/template.yaml --host=127.0.0.1        
--port=3000 --static_dir=public --layer_cache_basedir=/Users/me/.aws-sam/layers-pkg --container_host=localhost                       
--container_host_interface=127.0.0.1                                                                                                    
2024-01-12 13:44:20,697 | local start-api command is called                                                                             
2024-01-12 13:44:20,704 | No Parameters detected in the template                                                                        
2024-01-12 13:44:20,724 | There is no customer defined id or cdk path defined for resource MyApi, so we will use the resource logical id
as the resource id                                                                                                                      
2024-01-12 13:44:20,724 | There is no customer defined id or cdk path defined for resource MyFunction, so we will use the resource      
logical id as the resource id                                                                                                           
2024-01-12 13:44:20,725 | 0 stacks found in the template                                                                                
2024-01-12 13:44:20,725 | No Parameters detected in the template                                                                        
2024-01-12 13:44:20,739 | There is no customer defined id or cdk path defined for resource MyApi, so we will use the resource logical id
as the resource id                                                                                                                      
2024-01-12 13:44:20,740 | There is no customer defined id or cdk path defined for resource MyFunction, so we will use the resource      
logical id as the resource id                                                                                                           
2024-01-12 13:44:20,740 | 2 resources found in the stack                                                                                
2024-01-12 13:44:20,741 | Found Serverless function with name='MyFunction' and CodeUri='generate_jwt/'                                  
2024-01-12 13:44:20,741 | --base-dir is not presented, adjusting uri generate_jwt/ relative to                                          
/Users/me/Documents/test-sam/backend/template.yaml                                                                   
2024-01-12 13:44:20,772 | Detected Inline Swagger definition                                                                            
2024-01-12 13:44:20,772 | Parsing Swagger document using 3.0 specification                                                              
2024-01-12 13:44:20,773 | Found '0' authorizers in resource 'MyApi'                                                                     
2024-01-12 13:44:20,773 | Lambda function integration not found in Swagger document at path='/' method='get'                            
2024-01-12 13:44:20,773 | Found '0' APIs in resource 'MyApi'                                                                            
2024-01-12 13:44:20,774 | Authorizer 'MyOauth2Authorizer' is currently unsupported (must be a Lambda Authorizer), skipping              
2024-01-12 13:44:20,774 | Found '1' API Events in Serverless function with name 'MyFunction'                                            
2024-01-12 13:44:20,775 | Removed duplicates from '1' Explicit APIs and '0' Implicit APIs to produce '1' APIs                           
2024-01-12 13:44:20,775 | Linking authorizer skipped for route '/', authorizer 'None' is unsupported or not found                       
2024-01-12 13:44:20,776 | 1 APIs found in the template                                                                                  
2024-01-12 13:44:20,781 | Mounting MyFunction at http://127.0.0.1:3000/ [GET]                                                           
2024-01-12 13:44:20,782 | You can now browse to the above endpoints to invoke your functions. You do not need to restart/reload SAM CLI 
while working on your functions, changes will be reflected instantly/automatically. If you used sam build before running local commands,
you will need to re-run sam build for the changes to be picked up. You only need to restart SAM CLI if you update your AWS SAM template 
2024-01-12 13:44:20,783 | Localhost server is starting up. Multi-threading = True                                                       
2024-01-12 13:44:20 WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on http://127.0.0.1:3000

This output indicates that only Lambda Authorizers are supported, and any non-Lambda authorizers are skipped:

aws-sam-cli/samcli/lib/providers/sam_api_provider.py

Line 308 in 0e87d84

LOG.debug("Authorizer '%s' is currently unsupported (must be a Lambda Authorizer), skipping", auth_name)

Proposal

Add support for the built-in JWT authorizer when running SAM locally.

The authorizer should add the JWT claims to the Lambda request context, the same way that API Gateway does. #2833 covers this already.

This issue is similar to #5131, which is asking for Cognito authorizer support.

[lucashuy]

Thanks for opening this feature request! I'll bring this up to the team to revisit this request, in the mean time I'll close this issue in favour of the existing issue.

For those reading, I'll drop the same suggestion I had in the Cognito issue about utilizing sam sync to test remotely deployed resources. Using sam sync will keep the remotely deployed Lambda functions up to date with the local code, including any infrastructure changes that may be required.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.