Which AWS API Gateway Authorizer Type should I use to protect my APIs with Okta? Lambda/Cognito?

Question

I want to protect my AWS API Gateway with Okta. The APIs should respond only if the request contain Okta access token in the header (Authorization). We cannot use IAM authorization for this. So, I planned to use one of the following Authorizer Types:

• Lambda
• Cognito (I checked this link and I understood we can use Okta as an IdentityProvider in Cognito User Pool)

Please confirm which of the following will be correct:

1. We can use only Lambda and not Cognito in this case
2. We can use only Cognito and not Lambda in this case
3. We can use either Lambda or Cognito in this case

Answer 1

I do believe answer is 3. you should be able to add third party provider for cognito user pool and then use Cognito authorizer for the gateway - https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html

However if you don't need Cognito user pools, simpler option seem to be lambda authorizer as you can use existing library for JWT verification and don't need to bother with Cognito.

BTW, in case you can use AWS Api Gateway HTTP API - it supports JWT authorization out of the box - https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vs-rest.html