Goa.Functions.ApiGateway.Authorizer
0.7.4-preview
This is a prerelease version of Goa.Functions.ApiGateway.Authorizer.
dotnet add package Goa.Functions.ApiGateway.Authorizer --version 0.7.4-preview
NuGet\Install-Package Goa.Functions.ApiGateway.Authorizer -Version 0.7.4-preview
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="Goa.Functions.ApiGateway.Authorizer" Version="0.7.4-preview" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="Goa.Functions.ApiGateway.Authorizer" Version="0.7.4-preview" />
<PackageReference Include="Goa.Functions.ApiGateway.Authorizer" />
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add Goa.Functions.ApiGateway.Authorizer --version 0.7.4-preview
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: Goa.Functions.ApiGateway.Authorizer, 0.7.4-preview"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package Goa.Functions.ApiGateway.Authorizer@0.7.4-preview
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=Goa.Functions.ApiGateway.Authorizer&version=0.7.4-preview&prerelease
#tool nuget:?package=Goa.Functions.ApiGateway.Authorizer&version=0.7.4-preview&prerelease
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
Goa.Functions.ApiGateway.Authorizer
Build high-performance AWS Lambda authorizers for API Gateway with native AOT support. This package provides a fluent API for creating TOKEN and REQUEST type authorizers with flexible policy building, context passing, and mTLS certificate validation for secure API access control.
Quick Start
dotnet new install Goa.Templates
dotnet new goa.authorizer -n "MyAuthorizer"
Features
- Native AOT Ready: Optimized for ahead-of-time compilation with minimal cold starts
- TOKEN and REQUEST Authorizers: Support for both API Gateway authorizer types
- Fluent PolicyBuilder: Chainable API for building IAM policies with allow/deny rules
- Context Passing: Pass custom data to backend Lambda functions via the authorizer context
- mTLS Support: Access client certificate information for mutual TLS authentication
- Usage Plan Integration: Associate API keys with usage plans for throttling and quotas
- Wildcard Patterns: Allow or deny entire API stages with wildcard resource matching
Basic Usage
Token Authorizer
Process authorization tokens (e.g., JWT, API keys) extracted from a configured header:
using Goa.Functions.ApiGateway.Authorizer;
using Goa.Functions.Core;
using Microsoft.Extensions.Hosting;
await Host.CreateDefaultBuilder()
.UseLambdaLifecycle()
.ForAPIGatewayAuthorizer()
.ForTokenAuthorizer()
.HandleWith<ITokenValidator>(async (validator, authEvent) =>
{
// Validate the token from the configured header
var claims = await validator.ValidateToken(authEvent.AuthorizationToken!);
if (claims == null)
{
throw new UnauthorizedAccessException("Invalid token");
}
// Build the authorization policy
return new PolicyBuilder(claims.Subject)
.AllowAll(authEvent.MethodArn!)
.WithContext("userId", claims.Subject)
.WithContext("email", claims.Email)
.Build();
})
.RunAsync();
public interface ITokenValidator
{
Task<UserClaims?> ValidateToken(string token);
}
public record UserClaims(string Subject, string Email);
Request Authorizer
Access full request details including headers, query parameters, and path parameters:
using Goa.Functions.ApiGateway.Authorizer;
using Goa.Functions.Core;
using Microsoft.Extensions.Hosting;
await Host.CreateDefaultBuilder()
.UseLambdaLifecycle()
.ForAPIGatewayAuthorizer()
.ForRequestAuthorizer()
.HandleWith<IRequestValidator>(async (validator, authEvent) =>
{
// Access headers, query parameters, or path parameters
var apiKey = authEvent.Headers?["x-api-key"];
var tenantId = authEvent.PathParameters?["tenantId"];
var user = await validator.ValidateRequest(apiKey, tenantId);
if (user == null)
{
throw new UnauthorizedAccessException("Invalid request");
}
// Build a policy with specific resource access
var baseArn = PolicyBuilder.GetBaseArn(authEvent.MethodArn!);
return new PolicyBuilder(user.Id)
.Allow($"{baseArn}/GET/users/*")
.Allow($"{baseArn}/POST/orders")
.Deny($"{baseArn}/DELETE/*")
.WithContext("tenantId", tenantId!)
.WithContext("role", user.Role)
.Build();
})
.RunAsync();
public interface IRequestValidator
{
Task<User?> ValidateRequest(string? apiKey, string? tenantId);
}
public record User(string Id, string Role);
PolicyBuilder API
The PolicyBuilder class provides a fluent interface for constructing IAM policy documents.
Allow and Deny Methods
// Allow a single resource
new PolicyBuilder("user-123")
.Allow("arn:aws:execute-api:us-east-1:123456789:abc123/prod/GET/users")
.Build();
// Allow multiple resources
new PolicyBuilder("user-123")
.Allow(
"arn:aws:execute-api:us-east-1:123456789:abc123/prod/GET/users",
"arn:aws:execute-api:us-east-1:123456789:abc123/prod/POST/users"
)
.Build();
// Deny specific resources
new PolicyBuilder("user-123")
.AllowAll(methodArn)
.Deny("arn:aws:execute-api:us-east-1:123456789:abc123/prod/DELETE/users/*")
.Build();
Wildcard Patterns
Use AllowAll or DenyAll to match all resources under a method ARN:
// Allow all endpoints in the API stage
new PolicyBuilder("user-123")
.AllowAll(authEvent.MethodArn!)
.Build();
// Deny all endpoints (explicit deny)
new PolicyBuilder("user-123")
.DenyAll(authEvent.MethodArn!)
.Build();
Mixed Policies
Combine allow and deny statements for fine-grained access control:
var baseArn = PolicyBuilder.GetBaseArn(authEvent.MethodArn!);
new PolicyBuilder("user-123")
.Allow($"{baseArn}/GET/*") // Allow all GET requests
.Allow($"{baseArn}/POST/orders") // Allow POST to orders
.Deny($"{baseArn}/DELETE/*") // Deny all DELETE requests
.Deny($"{baseArn}/*/admin/*") // Deny all admin routes
.Build();
Context Passing
Pass custom data to backend Lambda functions. Values must be strings, numbers, or booleans:
new PolicyBuilder("user-123")
.AllowAll(methodArn)
.WithContext("userId", "user-123")
.WithContext("email", "user@example.com")
.WithContext("isAdmin", true)
.WithContext("rateLimit", 1000)
.Build();
The context values are accessible in your backend Lambda via $context.authorizer.<key> in API Gateway mapping templates or via the request context in Lambda proxy integrations.
Usage Plan Support
Associate an API key with API Gateway usage plans for throttling and quota enforcement:
new PolicyBuilder("user-123")
.AllowAll(methodArn)
.WithUsageIdentifierKey("api-key-from-usage-plan")
.Build();
Building Resource ARNs
Use the static helper methods to construct or parse resource ARNs:
// Build a complete resource ARN
var arn = PolicyBuilder.BuildResourceArn(
region: "us-east-1",
accountId: "123456789012",
apiId: "abc123xyz",
stage: "prod",
verb: "GET",
resource: "users/*"
);
// Result: arn:aws:execute-api:us-east-1:123456789012:abc123xyz/prod/GET/users/*
// Extract base ARN from a method ARN (removes method and resource portions)
var baseArn = PolicyBuilder.GetBaseArn(authEvent.MethodArn!);
// Input: arn:aws:execute-api:us-east-1:123456789:abc123/prod/GET/users/123
// Result: arn:aws:execute-api:us-east-1:123456789:abc123/prod
Event Models
TokenAuthorizerEvent
| Property | Type | Description |
|---|---|---|
Type |
string |
Always "TOKEN" |
AuthorizationToken |
string? |
The token value from the configured header |
MethodArn |
string? |
ARN of the incoming method request |
RequestAuthorizerEvent
| Property | Type | Description |
|---|---|---|
Type |
string |
Always "REQUEST" |
MethodArn |
string? |
ARN of the incoming method request |
Resource |
string? |
Resource path template |
Path |
string? |
Request path |
HttpMethod |
string? |
HTTP method (GET, POST, etc.) |
Headers |
Dictionary<string, string>? |
Request headers |
QueryStringParameters |
Dictionary<string, string>? |
Query string parameters |
PathParameters |
Dictionary<string, string>? |
Path parameters |
StageVariables |
Dictionary<string, string>? |
API Gateway stage variables |
RequestContext |
AuthorizerRequestContext? |
Request context with identity info |
AuthorizerRequestContext
| Property | Type | Description |
|---|---|---|
Path |
string? |
Resource path |
AccountId |
string? |
AWS account ID |
ResourceId |
string? |
Resource ID |
Stage |
string? |
API Gateway stage name |
RequestId |
string? |
Unique request ID |
Identity |
AuthorizerIdentity? |
Identity information including client certificate |
ResourcePath |
string? |
Resource path template |
HttpMethod |
string? |
HTTP method |
ApiId |
string? |
API Gateway API ID |
mTLS Client Certificate
When using mutual TLS, access client certificate details via RequestContext.Identity.ClientCert:
| Property | Type | Description |
|---|---|---|
ClientCertPem |
string? |
PEM-encoded client certificate |
SubjectDN |
string? |
Distinguished name of the subject |
IssuerDN |
string? |
Distinguished name of the issuer |
SerialNumber |
string? |
Certificate serial number |
Validity.NotBefore |
string? |
Start of validity period |
Validity.NotAfter |
string? |
End of validity period |
Error Handling
Return authorization failures by throwing an exception. API Gateway interprets unhandled exceptions as authorization denials:
.HandleWith<ITokenValidator>(async (validator, authEvent) =>
{
if (string.IsNullOrEmpty(authEvent.AuthorizationToken))
{
// Throwing "Unauthorized" returns a 401 response
throw new UnauthorizedAccessException("Unauthorized");
}
var isValid = await validator.ValidateToken(authEvent.AuthorizationToken);
if (!isValid)
{
// Any exception denies access
throw new UnauthorizedAccessException("Invalid token");
}
return new PolicyBuilder("user-id")
.AllowAll(authEvent.MethodArn!)
.Build();
})
For explicit deny policies (returning a 403 Forbidden), build a policy with deny statements:
// Explicit deny returns 403 Forbidden
return new PolicyBuilder("user-id")
.Deny(authEvent.MethodArn!)
.Build();
Documentation
For more information and examples, visit the main Goa documentation.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
-
net10.0
- Goa.Functions.Core (>= 0.7.4-preview)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
| Version | Downloads | Last Updated |
|---|---|---|
| 0.7.4-preview | 0 | 3/1/2026 |
| 0.7.3-preview | 29 | 2/28/2026 |
| 0.7.2-preview | 39 | 2/23/2026 |
| 0.7.1-preview | 51 | 1/26/2026 |
| 0.7.0-preview | 51 | 1/26/2026 |
| 0.2.1-preview | 49 | 1/20/2026 |
| 0.2.0-preview | 49 | 1/14/2026 |
| 0.1.9-preview | 59 | 1/1/2026 |
| 0.1.8-preview | 193 | 12/15/2025 |
| 0.1.7-preview | 197 | 12/15/2025 |
| 0.1.6-preview | 195 | 12/15/2025 |
| 0.1.5-preview | 197 | 12/15/2025 |
| 0.1.4-preview | 202 | 12/15/2025 |
| 0.1.3-preview | 71 | 12/12/2025 |
| 0.1.2-preview | 371 | 12/11/2025 |
| 0.1.1-preview | 369 | 12/11/2025 |
| 0.1.0-preview | 368 | 12/10/2025 |
| 0.0.8-preview | 370 | 12/10/2025 |
| 0.0.7-preview | 374 | 12/8/2025 |
| 0.0.6-preview.2 | 378 | 12/8/2025 |
Loading failed