API Gateway Authorizer Function for Auth0 or AWS Cognito using the JWKS method.
- Published on
- Authors
- Name
- Binh Bui
- @bvbinh
Photo by Boxed Water Is Better
AWS Auth0 Cognito custom Authorizers API
This is an example of how to protect API endpoints with Auth0 or AWS Cognito using JSON Web Key Sets (JWKS) and a custom authorizer lambda function.
Custom Authorizers allow you to run an AWS Lambda Function via API Gateway before your targeted AWS Lambda Function is run. This is useful for Microservice Architectures or when you simply want to do some Authorization before running your business logic.
Use cases
- Protect API routes for authorized users
- Rate limiting APIs
- Remotely revoke tokens
CDK Stack snippet code
// Create a lambda authorizer for the API
const authorizerFn = new lambda.Function(this, 'Authorizer', {
runtime: lambda.Runtime.NODEJS_14_X,
handler: 'auth.authorize',
code: lambda.Code.fromAsset('./functions'),
environment: {
// For Auth0: https://<project>.auth0.com/
// refer to: https://auth0.com/docs/secure/tokens/id-tokens
// For AWS Cognito: https://cognito-idp.<region>.amazonaws.com/<user pool id>
// refer to: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
IIS_URL: 'https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-1_jkM0CgrEF',
},
})
// Create a custom authorizer for the API
const authorizer = new apiGatewayAuthorizers.HttpLambdaAuthorizer(
'authorizer-lambda',
authorizerFn,
{
identitySource: ['$request.header.Authorization'],
}
)
const privateFn = new lambda.Function(this, 'PrivateFn', {
runtime: lambda.Runtime.NODEJS_14_X,
handler: 'handler.privateEndpoint',
code: lambda.Code.fromAsset('./functions'),
})
httpApi.addRoutes({
methods: [apiGateway.HttpMethod.GET],
integration: new apiGatewayIntegrations.HttpLambdaIntegration('private-integration', privateFn),
path: '/private',
authorizer,
})
We created a custom authorizer lambda function that will be used to authorize API calls. The authorizer lambda function will be called by API Gateway before the targeted AWS Lambda Function is run.
Full code for the custom authorizer lambda function is available here
Deploy the API
The code for this article is available on GitHub
- In
lib/cdk-starter-stack-stack.tsreplace the value of IIS_URL with either your Auth0 iss or AWS Cognito ISS. Make sure the iss url ends in without a trailing /.
{
"IIS_URL": "https://<url>.com"
}
- Deploy the stack and grab the public and private endpoints.
npx cdk deploy \
--outputs-file ./cdk-outputs.json
Test Authentication
- Test with Postman: Make a new GET request with the Header containing "Authorization" with the value being "bearer <id_token>" for your private url.
- Test using curl:
curl --header "Authorization: bearer <id_token>" https://{api}.execute-api.{region}.amazonaws.com/private
Cleanup
Don't forget to delete the stack and the API Gateway resources.
npx cdk destroy
Thanks for reading! I hope you found this article helpful. If you have any questions, please don't hesitate to leave a comment. I will try to answer as soon as possible.