we can add a request validator both from aws console and CF template via serverless yml for rest apis. but this doesn't seem to work on the http apis which is the aws api gateway v2. what's the way?
Related
We have our identity server implemented using identity server
https://github.com/IdentityServer/IdentityServer3
or
https://github.com/IdentityServer/IdentityServer4
And user will authenticate and get the access token from the identity server. We have some APIs developed in AWS api gateway. Just wondering what is the common practice to implement the authentication / authorization in the aws api gateway. We would prefer to use the existing access token from the identity server in the API gateway.
You will need to configure a custom authorizer on your API Gateway. The Custom Authorizer will use a Lambda Function to validate the Access Token. You will need to configure the Lambda Function to validate accordingly to your token. Here are some resources to help you configure the API Gateway Custom Authorizer with Lambda Function:
Use API Gateway Lambda Authorizers
Custom Authorizers in API Gateway and Lambda
Is there a way to use Basic authentication rather than AWS4-HMAC-SHA256 authentication with the AWS API Gateway Service? I need to support a system that only supports webhook calls with Basic Authentication.
You just need to modify the 401 Unauthorized response template so that it contains the WWW-Authenticate header set to 'Basic'. Apart from that, you'll need to create a custom authorizer that verifies that the provided credentials are correct. You can find more info here
You can configure an API Gateway to support Basic auth, and API Gateway supports integrations with any AWS service.
Setting up Basic auth in API Gateway requires a few steps. Check this post and search down to BobK#AWS response: https://forums.aws.amazon.com/thread.jspa?messageID=799091&tstart=0
Let's say I have a RESTful web service with the following API:
/
/things
/v2
/heartbeat
GET
/stuff
GET
POST
...
This service is running in an AWS Elastic Beanstalk behind an AWS API Gateway. The service itself handles routing beyond the /things path so I don't want to duplicate this routing logic in the API Gateway configuration. Is there a way I can setup my AWS API Gateway to handle any request that is /things and pass that to my service where the service will then handle routing to the correct path and method?
In other words, my API Gateway would handle a request to https://myUrl.com/things/v2/heartbeat and another request to https://myUrl.com/things/v2/stuff using the same /things resource defined in my API Gateway rather than having to define the /heartbeat and /stuff resources in the API Gateway itself.
You can use API Gateway's catch-all path variable to do that.
In your case, you'd have an method of type ANY, with the path /things/{proxy+}
The Endpoint URL you'd use would be something like: https://api.yourbackend.com/{proxy}
Here is a screenshot showing an example HTTP proxy integration in the API Gateway console:
This blog post has more details and screen shots:
https://aws.amazon.com/blogs/aws/api-gateway-update-new-features-simplify-api-development/
I am running Cisco UCCX 11.0 which is a Contact Center server that is based on a Java scripting engine. Scripts are build using the 'Script Editor' software where you drag elements (Java Beans) to define the script logic. One of the steps in the script is to perform a REST Call. Unfortunately this step does not support adding Custom Headers such as Authorization headers and thus is limited to Basic Authentication only.
I would like the script to make a REST Call to an external API that uses a static Bearer Token. Am I correct in saying I could use Kong Gateway for this? Here is my idea of the flow:
UCCX Makes REST Call to Kong with Basic Authentication ---> Kong Gateway recieves the request ---> Kong Gateway makes it's request to External API with static Bearer Token ---> External API responds back to Kong ---> Kong forwards the Response back to UCCX
Is this type of flow possible/easy to deploy?
This can easily be managed by assigning the Request Transformer plugin to the Kong API exposing the upstream service.
Example:
Let's assume you have an API endpoint on Kong called /myapi that is forwarding to your upstream service.
You then assign the Request Transformer plugin to the /myapi API.
For your case, you will most likely want to be using the config.add.headers option when configuring the Request Transformer plugin to add the required header authentication which will be added to all upstream requests.
Relevant Gitter Conversation:
https://gitter.im/Mashape/kong?at=587c3a9c074f7be763d686db
Is it possible to expose an API endpoint in AWS API Gateway using basic authentication ?
Basically, an API endpoint which can be accessed using username and password ?
Further I want to take the user's payload to a SNS Topic / SQS queue. ( Customer with Username & Password -> AWS GATEWAY API -> SQS/SNS)
I am seeing quite lot of articles on how to expose using JWT's , but not using basic authentication.
Regards
Guru
You can use AWS proxy integration method on API Gateway to put the payload into SQS from the API endpoint. Basic authentication is currently not supported by API Gateway.
you can create a dummy endpoint in the API Gateway, and create a Lambda function to authorize it handle the login logic inside that authorization lambda function.
Note: it works but not an good practice