AWS ApiGatewayV2 HTTP API with custom authorization lambda - amazon-web-services

Is it possible to use a custom authorization lambda with ApiGatewayV2 for a HTTP API?
I know it's supported for a WebSocket API but there seems to only be support for AWS' own JWT authorizer for HTTP APIs. Does anyone know of a smart way to solve this?
The reason I'm asking is I need to validate third party tokens that do not fully follow OAuth2 standards (and therefore cannot use the out of the box JWT authorizer).

It is possible to have a custom authorizer lambda with an AWS ApiGatewayV2 HTTP API.
For me at the moment (still early in my development) I actually have both a V2 WEBSOCKET and a V2 HTTP API using the same lambda for authentication, and both APIs using another lambda for the route handling -- yes, only 2 lambdas handling both APIs.
It is a bit of a mess because each API type has different event formats.
I created the WEBSOCKET API first and got the authorization lambda for it working first using OAUTH "client_credentials" and JWTs.
Then I added the HTTP API -- but it did require specifically declaring (I use terraform) the $default stage, a deployment, an integration, and a route with a $default route_key. The route is where the "CUSTOM" authorizer gets tied in. The point here is that using the so-called "quick create" V2 HTTP api does not appear to allow a custom authorizer.

Edit
This is now a feature added to HTTP API Gateways, more can be found in the Introducing IAM and Lambda authorizers for Amazon API Gateway HTTP APIs announcement.
Original
Unfortunately Lambda custom authorizers have not been migrated to be supported by HTTP API Gateways yet.
To build RESTful APIs, you can use either HTTP APIs or REST APIs from API Gateway. REST APIs offer a wide variety of features for building and managing RESTful APIs. HTTP APIs are up to 71% cheaper compared to REST APIs, but offer only API proxy functionality. HTTP APIs are optimized for performance—they offer the core functionality of API Gateway at a lower price.
The above quote from the announcement indicates that this is a light weight version of API Gateway at the moment.

Related

AWS API Gateway: REST API vs HTTP API

What is the difference between AWS API Gateway REST API vs HTTP API? Why would you use one over the other. What different functionalities does each support?
The documentation says:
API Gateway REST API A collection of HTTP resources and methods that
are integrated with backend HTTP endpoints, Lambda functions, or other
AWS services.........Each API resource can expose one or more API
methods that have unique HTTP verbs supported by API Gateway.
API Gateway HTTP API A collection of routes and methods that are
integrated with backend HTTP endpoints or Lambda functions....Each route can expose
one or more API methods that have unique HTTP verbs supported by API
Gateway.
However I cannot make much sense out of this.
According to their documentation from 2019, they're stating the following:
HTTP APIs are up to 71% cheaper compared to REST APIs, but offer only API proxy functionality.
So it seems you can't use the HTTP api's for anything other than proxying your own backend API.
Additionally, check this comprehensive documentation on when to use one over the other.

is ok to choose AWS HTTP API gateway for a mobile application?

I am trying to decide which aws apigateway version choose for my application (HTTP vs REST API gateway).
I am experimenting with AWS HTTP API gateway to see if it works fine for my use case.
These are my requirements:
The only client is a mobile application
The rest API can be accessed only from logged in users
I want to use cognito with cognito authorizer
My backend is a mix of lambda services and HTTP rest services exposed via an internal application load balancer
Everything seems to be supported, the only concern is that I would have used an api key, but this feature is not currently supported on HTTP API gateway.
Are there any security concern if I go for HTTP without any api key?
What would be the right way to restrict the access only to requests coming from my mobile app?
Everything seems to be supported, the only concern is that I would have used an api key, but this feature is not currently supported on HTTP API gateway.
HTTP APIs support OpenID Connect and OAuth 2.0 authorization
https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api.html
If you have any custom api-key, you can still have an authorizer lambda to authenticate and authorize the client.
Are there any security concern if I go for HTTP without any api key?
What do you mean by the api-key? API-key is usually static shared secret used mostly in the backend application. Claiming the users need to be authenticated and using the mobile app, having a hardcoded api-key is not the best idea (read - it is a terrible idea)
Under these requirements the default option is using OAuth2/OIDC for user authorization and passing the user's access token along the API requests.
What would be the right way to restrict the access only to requests coming from my mobile app?
I want to use cognito with cognito authorizer
The simplest and built-in way is using the access token from Cognito and built-in JWT API authorizer. Yet you may configure any other option.

Authenticate session with AWS API Gateway

Situation: I have an app (Next.js/React on Vercel) running on example.com. I have an api (AWS API Gateway) on api.example.com. Currently the application on example.com supports login using Auth0 as authentication provider.
Problem: I would like to be able to make authenticated requests from the application (example.com) to the api (api.example.com).
Architecturally, I was hoping for a way for the API Gateway (api.example.com) to handle the authenticated session from the app/Auth0 cookie (example.com). I thought the browser could share the cookie (since api.example.com is trusted) and the API could validate it.
But I don't see a standard way to do it. I think I could try to create some custom lambda authorizer for AWS' API Gateway. But since we're dealing with authentication, I would prefer to outsource as much as humanly possible and avoid any custom code. I just can't seem to piece together the way for API Gateway to handle the sessions, which I assumed would be a pretty common problem to solve.
Sidenote: Previously, I used the pages/api that's baked into Next.js to directly call Lambdas on AWS and expose them. With this, authentication natively works. That's the experience I'm now trying to recreate, but without the user having to take a roundtrip.
When you want to protect APIs it’s better to use JWT tokens to carry over necessary claims e.g. id of authenticated user. OpenID connect and Oauth2.0 are the standards to look into.
Auth0 has documentation of recommended authentication flow: https://auth0.com/docs/flows/authorization-code-flow
as well as example with Api Gateway’s HTTP apis: https://auth0.com/blog/securing-aws-http-apis-with-jwt-authorizers/
AWS documentation has more info about Http Apis and JWT token authorizers: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html
If your Api gateway is using Rest apis instead of more light-way Http apis then token based Lambda authorizers are the right solution: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html

AWS Api Gateway / AWS ALB / Kong Api Gateway

I have a task to replace current CA layer 7 with new API gateway.
New API gateway should be able to handle
1. Rate limiting
2. Authentication
3. Version handling etc.,
After researching i found we could use AWS api gateway or Kong api gateway or AWS ALB with Cognito for authentication support.
This is so overwhelming to understand the basic differences, could you please give some insight on basic concept in simple words and some pointers or link that i should refer to start with.
API Gateway keep track of every deploy you make in the Deployment History tab. There you will find all versions of your API and you can change to any of them whenever you want.
You can also create your api gateway from a Swagger file.
For every method that you create for a resource you need to configure the Method Request, the Integration Request, the Integration Response and the Method Response.
The Integration Request is where everything happens. You will set there how you are going to handle your requests, if you are going to integrate with any aws service like firehose or if you are going for a lambda integration or with an existing HTTP endpoint.
Mapping Templates uses Apache Velocity Template Language (VTL). http://velocity.apache.org/engine/1.7/vtl-reference.html
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html
Getting started with REST apis:
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started.html
API GATEWAY INTEGRATION TYPES:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-integration-types.html
How to import a rest api:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-import-api.html
Limits and known issues:
https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html
Deploying:
https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-deploy-api.html
Publish:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-publish-your-apis.html
AWS API Gateways supports lambda authoriser for authentication which is integrated with any identity provider - Azure AD, Cognito pool etc. It supports both Client Credentials (service to service) authentication and Authentication code(user based authentication) but AWS ALB don't support client credentials authentication flow.
AWS API Gateway also provides caching, request & response mapping, customise handling for each response type, request validation, throttling where AWS ALB is yet to be improved for all these feature.
Kong api gateway also provide similar feature as AWS API Gateway with added features
If all the backend services are deployed in AWS and you don't need
complex API gateway then go for AWS API Gateway. It is pay per use service and you don't need to pay for extra support for API gateway assuming your services are already deployed in AWS.
If you need api gateway solution with complex requirement and extra features then Kong API gateway can be considered. But you will need to either pay for Kong API gateway support or need extra effort in coding when used open source.
AWS ALB can be used only for specific scenarios and it is getting matured day by day.

Implement oauth in AWS API Gateway

I am trying to create a simple service using AWS API gateway and Lambda.
I want to manage small amount of user/password pairs such that they can login in to get an access token to proceed with future API calls.
I am not sure if I have chosen the right tools for this, but I am wondering if there is any existing package or model that I can use to implement this functionality?
A document titled "Amazon API Gateway + AWS Lambda + OAuth" describes what you need to do to protect a Web API implemented using Amazon API Gateway + AWS Lambda with an OAuth 2.0 access token. The introspection API (= an API to get information about an access token) used in the document is Authlete's one, but you can replace it with another different one you like. For example, if you use an authorization server implementation that supports RFC 7662 (OAuth 2.0 Token Introspection), you can use the introspection API defined in the specification.
Updated on 2016-Apr-6
On Feb 11, 2016, a blog entry of AWS Compute Blog, "Introducing custom authorizers in Amazon API Gateway", announced that Custom Authorizer had been introduced into Amazon API Gateway. Thanks to this mechanism, an API built on Amazon API Gateway can delegate validation of a Bearer token (such as an OAuth or SAML token) presented by a client application to an external authorizer.
How to protect APIs built on Amazon API Gateway by OAuth access tokens utilizing the new mechanism, Custom Authorier, is described in "Amazon APi Gateway Custom Authorizer + OAuth".