I am trying to create a new API using
AWS API Gateway (backed by an AWS Lambda)
Swagger UI
Authentication (OAUTH2 with Okta)
I can create a new service with Pythong + Flask + Swagger and host a docker container, which I can develop, but I'm trying to keep it serverless and use the combination of technologies in my list above.
Any help would be greatly appreciated!
I'm assuming you want to know more about the OAuth part using Okta. You'll have to create a Lambda authorizer that will perform the introspection of the token from Okta.
For the serverless API, you'll have to break your service into functions. An approach is to have one function for each RESTful resource+method:
GET /books/{id} -> getBookFunction
PUT /books/{id} -> updateBookFunction
DELETE /books/{id} -> deleteBookFunction
Lastly, if you have a well-defined Swagger file. You can use it to create your API in API Gateway. You may also use x-amazon-apigateway-* in your Swagger file and define your resource backend to refer to a Lambda function's ARN. Documentation can be found here
Yes, you're right, the question is more around how to integrate Oauth2 (Okta) with a swagger UI using AWS API Gateway.
API Gateway 2.0 already provide the ability to inspect the JWT token from Okta, so no need to create a custom Lambda there.
I'm not sure how to get this ability with redirects configured in a Swagger UI, and have the user login using the implicit/authorization-code Grant-Type and let the user interact with the swagger page.
Related
I've had a custom API built on AWS and want to secure it so that it is only accessible after completing an OAuth 2.0 web-app flow. Question is - what services within AWS are used/combined to deliver this sort of API security and Identity management/verification?
Ive not developed on AWS so totally naive as to where to start to answer such a question.
Any pointers are most appreciated!
You could use AWS Cognito to authenticate access to AWS API Gateway:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
Using custom Lambda authorizer would be also an option:
https://aws.amazon.com/blogs/security/use-aws-lambda-authorizers-with-a-third-party-identity-provider-to-secure-amazon-api-gateway-rest-apis/
I would like to implement an SPA which bounces the user to a login page, if not already logged in. It would then able to make a call to an API (not necessarily an API Gateway) hosted within an AWS VPC.
As I currently understand it, this would involve a front-end framework library authenticating the user via OAuth 2.0. It would then need to retrieve a token (allowed because of the auth validation) to call an API Gateway which provides access to the API hosted within the VPC.
Given this concept, is this architecture possible without the use of a Lambda?
If you are willing to use API Gateway in front of your API:
Yes, this architecture is possible without using a Lambda. API Gateway has integration with AWS Cognito User Pools for authorizing requests. You can find the AWS docs on how to set this up.
If you don't have an AWS API gateway in front of your API:
In this case you will have to implement one of the authentication and authorization flows provided by OAuth 2.0 standard. In this case, whether you would want to use a Lambda or not, is up to you and your back-end architecture.
I am trying to create a service root endpoint which will respond with a list of all existing path templates. I can create the response manually. Is there any way to get the list other than this manual approach?
If you are using serverless with aws + API Gateway you probably can use get resources method from the API Gatway methods from the aws sdk
example in JS sdk:
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/APIGateway.html#getResources-property
I have an existing Web API that I migrated to AWS using API Gateway and Lambda functions. However, I'm wondering how I can make use of AWS API Gateway's custom authorizer feature. My existing authorization framework is OAuth and I used ASP.Net Identity for user management. I generate bearer tokens and used the 'Authorized' attribute in my API Controllers for security. How can I do the same in AWS API gateway since I cannot change my framework cause I already have existing users. Thank you.
If you haven't already, check out the docs for custom authorizers: http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html
You should be able to write the Lambda function to replicate the authorization logic used in your existing service. Then think about how you want to model permissions in terms of an IAM policy (which is the output of the authorizer). If you want simple allow|deny then you can return an IAM policy from the authorizer that says Allow * or Deny *. Or you can add fine grained permissions if you want.
I am trying to create a simple service using AWS API gateway and Lambda.
I want to manage small amount of user/password pairs such that they can login in to get an access token to proceed with future API calls.
I am not sure if I have chosen the right tools for this, but I am wondering if there is any existing package or model that I can use to implement this functionality?
A document titled "Amazon API Gateway + AWS Lambda + OAuth" describes what you need to do to protect a Web API implemented using Amazon API Gateway + AWS Lambda with an OAuth 2.0 access token. The introspection API (= an API to get information about an access token) used in the document is Authlete's one, but you can replace it with another different one you like. For example, if you use an authorization server implementation that supports RFC 7662 (OAuth 2.0 Token Introspection), you can use the introspection API defined in the specification.
Updated on 2016-Apr-6
On Feb 11, 2016, a blog entry of AWS Compute Blog, "Introducing custom authorizers in Amazon API Gateway", announced that Custom Authorizer had been introduced into Amazon API Gateway. Thanks to this mechanism, an API built on Amazon API Gateway can delegate validation of a Bearer token (such as an OAuth or SAML token) presented by a client application to an external authorizer.
How to protect APIs built on Amazon API Gateway by OAuth access tokens utilizing the new mechanism, Custom Authorier, is described in "Amazon APi Gateway Custom Authorizer + OAuth".