Search code examples
jwtaws-api-gatewaylambda-authorizer

Replacing JWT token by another JWT token while using an authorizer in HTTP API Gateway

In my project, I have presently a legacy authentication that works in such a way:

  1. There is a client (standalone) that talks to an API service which is a custom application running in a container.
  2. A cloud Identity provider (IdP) is used that supports OAuth with PKCE. It provides its token via usual login process when the user goes to a login page and then gets redirected to a callback.
  3. API service acts as a recipient for the callback. It, therefore, obtains Identity Provider token-1 and stores it in a cache. Based on this it returns to the client a modified token-2 "computed" from token-1 but different.
  4. Once the client needs to make a REST call, it decorates it with the token-2 JWT token. The call goes to the API service that matches it to token-1 which can be then validated against IdP.

I have a need to get rid of the API service with cloud-native mechanisms. I assume that AWS HTTP API gateway can be integrated with IdP directly using its JWT Authorizer capability. Regretfully I can not affect the current legacy flow that must remain functional.

However, I would like to insert a Lambda between the JWT Authorizer and client endpoints which would be doing the exchange of client-facing tokens to IdP tokens (doing what API service was doing). Would that be possible and how I can approach this?

Solution

  • Sounds like you need to create a Lambda Authorizer (Formally known as Custom Authorizer) instead of using the default JWT Authorizer.

    https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html

    You can write your own logic in this including validating tokens and performing additional steps like you mentioned.