Skip to content
/ lambda-authorizer Public

This project contains the Lambda Authoriser to be used with API Gateway

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

pawarrchetan/lambda-authorizer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
jest.config.js
jest.config.js
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 
yarn.lock
yarn.lock
 
 

Repository files navigation

API Gateway Authorizer

Overview

This project deploys a lambda function that is used in our APIs to check whether the caller has access to the underlying API.

API callers must supply either a custom token consisting of an id token and access token or JWT token. The Authorizer then returns the relevant policy based on caller's role to authorize the API call.

Custom Authorization Header Flow (Base64 token)

Authorizer header parameter:

  • idtoken: from this header parameter the authorizer extracts the userpool id from token payload
  • accesstoken: the access JWT token used for the authorization
btoa(JSON.stringify(
    {
        idtoken: $idToken,
        accesstoken: $accessToken
    }
))

Tokens will be verified by the authorizer, and the issuer will be checked if it belongs the same environment, to ensure that the tokens are generated by our server. Finally the Authorizer access the IAM to get the policy for this principal.

Internal Auth Flow (JWT)

Internal auth works with standard JWT tokens that include the user's identity on AWS and relevant IAM policies to access APIs via API gateway.

Example JWT payload:

{
  "callerIdentity": "arn:aws:sts::xxxxxxxxxx:assumed-role/admin/awsmfa_20210226T120444",
  "policies": [
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "*",
          "Resource": "*"
        }
      ]
    }
  ],
  "iss": "https://h2d2syd0a4.execute-api.eu-central-1.amazonaws.com/dev/v1/internal-auth",
  "iat": 1614338238,
  "exp": 1614341838
}

The policies will be returned by the custom authorizer to API gateway to authorize the user.

API's that require authorisation can be configured in serverless.yml file like example below:

Usage with CDK

@TODO

Getting started

Requirements

  • node.js (12/13 recommended)
  • yarn
  • serverless
  • java (for offline work of dynamoDB)

Development

Clone this repository:

yarn
yarn start

After setting up Cognito Userpool, Client Id and user. User can Authenticate with their credentials and get a valid JWT. With this JWT Token in the Header every call to the target API's will be validated and authorized.

Header Parameter should be in following form:

Authorization: "Bearer " + btoa(JSON.stringify(
    {
        idtoken: $idToken,
        accesstoken: $accessToken
    }
))

Curl Request:

curl --request POST \
  --url http://localhost:3000/dev \
  --header 'Authorization: Bearer Base64_id_access_Token_String' \

To generate tokens(idToken and AccessToken):

aws cognito-idp admin-initiate-auth
  --user-pool-id ${your user poolId} \
  --client-id ${your pool clienId} \
  --auth-flow ADMIN_NO_SRP_AUTH \
  --auth-parameters USERNAME=${your userName},PASSWORD=${your password}

Other useful scripts

yarn test        # all test (lint, typescript, jest)
yarn lint        # run eslint
yarn lint:fix    # run eslint --fix
yarn typescript  # run tsc
yarn jest        # run all jest test
yarn jest:watch  # run all jest test that are effected by a change

About

This project contains the Lambda Authoriser to be used with API Gateway

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages