How to configure AWS API Gateway without authorizer? - amazon-web-services

How do you setup and access an AWS API Gateway without an authorizer?
I've created an API Gateway that I want to be publicly accessible. It will be used to perform it's own authorization. But when I try to access its invocation URL, it returns the error response:
{"message":"Missing Authentication Token"}
I assume this is because the GET method for my gateway has Authorization=None. However, I don't want to use either AWS's lambda or cognito authorizers.
How do I change that to not require any built-in authorizer?

Related

using cognito for authentication and custom authorizer for authorization

I have an serverless application which uses AWS Cognito, Lambda, and API Gateway.
The user signs in using AWS Cognito (with external identity provider) for user authentication and authorization.
The API gateway uses Cognito Authorizer to secure access to the lambda function.
The initial use case is simple, any request sent to API Gateway need to be authenticated with Cognito, and they are authorized to invoke the lambda function. As long as they can sign in, they can invoke the lambda.
Now I want to change the authorization. Even if the user is able to authenticate with Cognito, they must contain certain scopes in order to be authorized to invoke the lambda. These scopes can be fetch or checked in an external authz service. Cognito authorizer on the API gateway do not allow me to implement custom logic to call external authz service.
What is the recommended way to handle this?
You can use lambda authorizer for this use case.
In your lambda you can first authenticate your incoming token (example) and once authentication is successful you can check authorization scopes using authz service.

Call lambda function from a different cloudformation stack via API

I have a lambda function exposed via API gateway but when I try to request it using fetch it is saying that I am forbidden to access it. How do I allow my function to call another function via API gateway?
There can be multiple reasons for it.
Check whether your API gateway endpoint is open or not. While specifying trigger for lambda you must have selected one option for security. You can edit this in API gateway Method Execution tab under Authorization Settings, select Authorization : None and API key required: false
You might not have enabled CORS on your api and due to that your api is not available on cross regions.
Your api gateway is not having access to lambda function. You can do that by attaching IAM role to your API gateway API which can trigger your lambda function.

AWS: API Gateway Authorizer using access token given from ALB

I have a project that needs to make use of Lambda functions which are triggered by API Gateway with protected authorizer, i have set the resource method to require an authorization header which is the token id given in Cognito's authentication response. Basically all protected routes in the application are handled by ALB which will always check if the requested route is protected and if so then redirect to cognito's sign-in in case there is no session, after the authentication is successful, the Load Balancer will redirect the request to the application with additional headers, which are:
x-amzn-oidc-data
x-amzn-oidc-accesstoken
Both are in a manner of speaking JWT with user claims from the authentication. Normally the API Gateway endpoint protected by cognito authorizer requires a token id which is easily retreived using the implicit flow in cognito's authentication, but the ALB is using the authorization code flow which only gives a session code. Both data from x-amzn-oidc-data and token id looks the same but when i try to access the endpoint using the data from ALB i only get unauthorized.
The ideal flow goes like this:
I know i could avoid all this process by just implementing the Lambda function directly to ALB as trigger but my project is only looking for automated deployments and CloudFormation still does not support Lambda implementations for ELB.
TL:DR
The simple question is: How can i grant access in API Gateway using a token given by authorization from ALB?

Do I need to verify a AWS Cognito token in BOTH Lambda AND as API Gateway?

When using a AWS Cognito attribute from a JWT token in a lambda, do I need to verify the JWT? The Lambda is only triggered by an API Gateway which already verifies the token.
Adding details:
- I'm using Cognito Authorizer in the API Gateway to verify the token.
- The lambda is connected to the API Gateway as proxy.
No you don't need to verify the JWT in backend lambda if protected by a custom lambda authorizer by API Gateway. I would suggest you to use REQUEST based lambda authorizer and attach attributes in the response. So your backend lambda will be able to access attributes in event.requestContext.authorizer['your_attribue'].
This will also enable you to test your Lambda in isolation without needing to get attribute from JWT. You can always mock the event object for unit testing.
I ran into the same conundrum, and was trying to find documented confirmation that, within the Lambda, I wouldn't have to do any validation on my own, and that I can safely rely on the the token / claims being genuine. Unfortunately, nothing in the AWS documentation or the forum posts that I've seen so far has explicitly confirmed this.
But I did find something similar for GCP, and how the API Gateway there validates the JWT. From the GCP documentation:
To authenticate a user, a client application must send a JSON Web
Token (JWT) in the authorization header of the HTTP request to your
backend API. API Gateway validates the token on behalf of your API, so
you don't have to add any code in your API to process the
authentication. However, you do need to configure the API config for
your gateway to support your chosen authentication methods.
API Gateway validates a JWT in a performant way by using the JWT
issuer's JSON Web Key Set (JWKS). The location of the JWKS is
specified in the x-google-jwks_uri field of the gateway's API config.
API Gateway caches the JWKS for five minutes and refreshes it every
five minutes.
So, it seems that within GCP at least, we don't have to do anything, and the API Gateway will handle everything. Even though this is not a confirmation that this is how it works in AWS as well, but the fact that this is how it works in GCP, it gives me some more confidence in assuming that it must be so in AWS too.

Can I use client certificate generated in API Gateway to validate at Lambda?

I have created self client certificate within API Gateway. I would like my lambda to validate before processing the request from API Gateway (Configure Backend to Authenticate API).
API Gateway allows us to copy the certificate to clipboard. Which we can save as var or file to be read within Nodejs Lambda function, authenticate and proceed further.
Do we have examples?
API Gateway is invoking your AWS Lambda function via the the Lambda Invoke method in the AWS API. Your Lambda function isn't a web server, so it isn't receiving a direct HTTPS request from API Gateway, so it isn't going to receive the HTTPS client certificate.
I would question the need for this anyway. Your API Gateway should be using an IAM role to invoke the Lambda function. That's the mechanism you would use to make sure only API Gateway has access to invoke your Lambda function. The client-certificate is for web servers running behind API Gateway that don't use IAM for authentication.