Get claims in C# Lambda function called from an API with authorization

Question

I am developing a lambda function in C# that is called from an api with authorization. I need to get the calling user's email, I have the following code:-
            //get user email
            string UserEmail = string.Empty;
            if (apigProxyEvent.RequestContext != null)
            {
                IDictionary Claims = apigProxyEvent.RequestContext.Authorizer.Claims;
                context.Logger.LogLine($"GetBreaks Got email");
                UserEmail = Claims["email"];
            }
            else
            {
                UserEmail = "Testing";
            }

I keep getting an error when getting the Claims:-
"The requested operation requires an element of type 'Object', but the target element has type 'String'."

Thanks

Answer

Here are a few ways to get the caller's email claim in a C# lambda function called from an API Gateway with authorization:

1. Use the APIGatewayProxyEvent.RequestContext property to get the authorizer claims:

```csharp
string email = apigProxyEvent.RequestContext.Authorizer.Claims["email"];
```

2. Use the HttpContext to get the user claims:

```csharp 
var emailClaim = HttpContext.Current.User.Claims.FirstOrDefault(c => c.Type == "email");
string email = emailClaim?.Value;
```

3. Inject IHttpContextAccessor and use it to access the current HttpContext:

```csharp
public class MyClass 
{
  private readonly IHttpContextAccessor _httpContextAccessor;

public MyClass(IHttpContextAccessor httpContextAccessor)
  {
    _httpContextAccessor = httpContextAccessor;
  }

public string GetEmail()
  {
    var emailClaim = _httpContextAccessor.HttpContext.User.Claims.FirstOrDefault(c => c.Type == "email");
    return emailClaim?.Value;
  }
}
```

The key is accessing the authorizer claims from the APIGatewayProxyEvent or the current HttpContext's user claims.

Answer

Thanks, but uption1 still give the same error. Tried option 2 and got compile error that HttpContext does not have Current,

Answer

Hi Martin -

It looks like you're using a "vanilla" Lambda function, and not using the Amazon.Lambda.AspNetServerCore NuGet package to run ASP.NET Core, in which case you obviously cannot use HttpContext.

Note that the apigProxyEvent.RequestContext is *not the same* as HttpContext. The RequestContext contains information about the request to the Lambda function, such as the AccountId, the ApiStage, etc.  If your API callers are being authenticated with a custom authorizer (aka "[Lambda Authorizer](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html)") that is sets the claims, you can get to the email claim like this:

```
var email = apigProxyEvent.RequestContext.Authorizer.Claims.ContainsKey("email") ?
           apigProxyEvent.RequestContext.Authorizer.Claims["email"] :
           string.Empty;
```

If you are *not* using a custom authorizer (aka Lambda Authorizer), then the question is, how are your API callers being authorized?  Are they just passing a bearer token in the Authorization header? If so, you would need to validate that token (which you can read from the apigProxyEvent.Headers collection], and set the claims yourself. I recommend using a Lambda Authorizer though, or if you are using API Gateway HTTP APIs, there is a [built-in JWT authorizer](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html) feature that will set claims for you.

Get claims in C# Lambda function called from an API with authorization

Relevant content