We have our identity server implemented using identity server
https://github.com/IdentityServer/IdentityServer3
or
https://github.com/IdentityServer/IdentityServer4
And user will authenticate and get the access token from the identity server. We have some APIs developed in AWS api gateway. Just wondering what is the common practice to implement the authentication / authorization in the aws api gateway. We would prefer to use the existing access token from the identity server in the API gateway.
You will need to configure a custom authorizer on your API Gateway. The Custom Authorizer will use a Lambda Function to validate the Access Token. You will need to configure the Lambda Function to validate accordingly to your token. Here are some resources to help you configure the API Gateway Custom Authorizer with Lambda Function:
Use API Gateway Lambda Authorizers
Custom Authorizers in API Gateway and Lambda
Related
I have a React App + Set of lambda's which are using JWT api gateway authorizer (using cognito user pool as IDP)
Additionally I have an Auth0 app + SAML IDP-initiated enterprise connection which direct the logged users in my React App along with SAML assertion.
What will be the best and simplest solution to enable users who are directed to the React app with the SAML to be authorized in the API gateway?
I have came up with this possible solution: create a custom API gateway authorizer which will accept the SAML assertion and will validate it using passport.
Is my solution applicable?
Is there an existing solution (code reference) for such authorizer? (could not find such...)
Are there simpler \ better solutions?
I need to connect the zuul and keycloak. But my issue is that I am not gettting any idea or code. I need from api gateway to call keycloak and get the access token and from api gateway again to validate the access token and call the request api
Is there a way to use Basic authentication rather than AWS4-HMAC-SHA256 authentication with the AWS API Gateway Service? I need to support a system that only supports webhook calls with Basic Authentication.
You just need to modify the 401 Unauthorized response template so that it contains the WWW-Authenticate header set to 'Basic'. Apart from that, you'll need to create a custom authorizer that verifies that the provided credentials are correct. You can find more info here
You can configure an API Gateway to support Basic auth, and API Gateway supports integrations with any AWS service.
Setting up Basic auth in API Gateway requires a few steps. Check this post and search down to BobK#AWS response: https://forums.aws.amazon.com/thread.jspa?messageID=799091&tstart=0
Is it possible to expose an API endpoint in AWS API Gateway using basic authentication ?
Basically, an API endpoint which can be accessed using username and password ?
Further I want to take the user's payload to a SNS Topic / SQS queue. ( Customer with Username & Password -> AWS GATEWAY API -> SQS/SNS)
I am seeing quite lot of articles on how to expose using JWT's , but not using basic authentication.
Regards
Guru
You can use AWS proxy integration method on API Gateway to put the payload into SQS from the API endpoint. Basic authentication is currently not supported by API Gateway.
you can create a dummy endpoint in the API Gateway, and create a Lambda function to authorize it handle the login logic inside that authorization lambda function.
Note: it works but not an good practice
I want to set up API Gateway to point to a Lambda function which will process outbound messages from Salesforce.
All Saleforce instances share an IP range, so the way to verify that a message is from our instance is to use a cert from Salesforce to provide mutual authentication.
I know that you can use mutual authentication between API Gateway and your backend service, but I'm not sure about between the client and API Gateway. Is this possible to set up?
API Gateway does not currently support client certificate validation (aka mutual authentication) between the client and API Gateway. We have a feature request for this on our backlog, but we can't commit to a timeline for delivering it.