Custom Authentication in the Cloud with Amazon API Gateway and Lambda Authorizers
Join the DZone community and get the full member experience.Join For Free
Image Source: Pixabay
An API Gateway is an essential component of any microservices architecture. Amazon provides its own API Gateway service, which you can use to enable user access to a microservices application, and manage API communication between microservices.
The API Gateway provides a default authentication process, but what happens if you want to define a custom process? For example, you might want to collect request parameters from other systems using protocols like SAML or OAuth. In this article, I’ll show how to achieve custom authentication flows with an integration between API Gateway and AWS Lambda.
What Is Amazon API Gateway?
Amazon API Gateway is a service for building and managing APIs at various scales. You can use the service to create, publish, maintain, and secure HTTP, REST, or WebSocket APIs to access web services such as AWS and data held in the AWS Cloud. API Gateway allows you to develop APIs for your client applications or other application developers. They are also a critical part of securing APIs.
Controlling and Managing Access to REST APIs with API Gateway
API Gateway enables you to control and manage access to your cloud-based APIs using various authentication and authorization mechanisms, including:
Resource policies—you can create policies that permit or restrict access to an API based on resources. You can also share or protect methods from Virtual Private Cloud (VPC) endpoints or source IP addresses you specify.
Identity and Access Management (IAM) roles—you can use standard IAM roles and policies to apply strong access controls to specific methods or a whole API. AWS IAM policies and roles let you control who can develop, manage, or invoke your APIs, and support several authentication types.
IAM tags—you can combine these with IAM policies to facilitate access control.
Amazon Cognito user pools—you can control who can invoke your REST API methods through user pools.
Lambda authorizers—these are Lambda functions for controlling access to REST API methods by authenticating bearer tokens. Lambda authorizers also use data such as headers, query strings, paths, stage variables, and context variable request parameters. You can use them to determine who can invoke your REST API methods.
Lambda Authentication and Authorization
Lambda authorizers are a feature of Amazon API Gateway that controls access to APIs using Lambda functions. You can use a Lambda authorizer to implement custom authorization setups that determine caller identity based on request parameters or bearer tokens (i.e., SAML or OAuth).
API Gateway calls the Lambda authorizer when clients request an API method, with the caller identity serving as input. The Lambda authorizer then returns output in the form of an IAM policy.
Lambda authorizers can be token-based authorizers or request parameter-based authorizers. Token authorizers identify callers using bearer tokens like OAuth tokens or JSON Web Tokens (JWTs). Request authorizers use a combination of parameters such as query strings, headers, and stage and context variables.
The following diagram outlines the authorization workflow for a Lambda authorizer.
Image Source: AWS
The Lambda authorizer workflow has the following steps:
1. The client passes request parameters or a bearer token to the API Gateway to call an API method.
2. API Gateway looks for a Lambda authorizer configured for the API method and calls the relevant Lambda function if it’s available.
3. The Lambda function uses one of the following strategies to authenticate the caller:
Call an OAuth service provider to receive an OAuth access token.
Call a SAML service provider to receive a SAML assertion.
IAM policy generation based on request parameter values.
Retrieval of credentials from a user database.
4. The Lambda function returns an output object with a principal identifier IAM policy if the call is successful.
5. API Gateway then evaluates the IAM policy to determine whether to grant access:
If the policy allows access, API Gateway executes the API method. If the authorizer’s settings enable caching, API Gateway caches the policy. The gateway won’t have to invoke the Lambda authorizer function again.
If the policy denies access, API Gateway sends the relevant HTTP status (i.e., a 403 error code).
Using the API Gateway Console to Configure a Lambda Authorizer
Once you’ve created a Lambda function, you need to verify that it functions properly. You can then use the following steps to configure a corresponding Lambda authorizer:
1. Go to the API Gateway console.
2. Select an API (or create a new one) and select authorizers under it.
3. Select create new authorizer.
4. In the name field, enter a name for the authorizer.
5. Under type, select Lambda.
6. Under Lambda Function, select the region you want.
7. Select a Lambda authorizer function available in your account.
8. To configure a resource-based authorizer, keep the Lambda invoke role blank. To set a policy to allow API Gateway to invoke your Lambda function, enter an appropriate IAM role.
9. Under Lambda event payload, you can select request for a request parameter-based authorizer or token for a token-based authorizer:
If you selected request, enter the name of your chosen request parameter type under identity sources. Select (or deselect) enabled under authorization caching to determine whether API Gateway should cache the policy generated by the Lambda authorizer.
If you selected token, enter a header name in token source—the API client must add the corresponding header when sending the token to the authorizer. Select (or deselect) enabled under authorization caching to determine whether API Gateway should cache the policy generated by the Lambda authorizer. If you enable caching, the header name you specified is the cache key. You can also change the time to live (TTL) value, though it will disable the caching if you set the TTL to zero.
10. To create the Lambda authorizer for your chosen API, select create.
In this article I explained the basics of API authentication in AWS, and showed the general steps to creating a custom authentication system using the concept of a Lambda authorizer:
Write a Lambda function with custom authentication functionality
Define a Lambda authorizer within Amazon API Gateway
API Gateway starts using your Lambda function to evaluate new authentication requests
I hope this will be useful as you explore advanced authentication methods in the Amazon cloud.
Opinions expressed by DZone contributors are their own.