Search code examples
amazon-web-servicesspring-bootjwtapi-gateway

AWS API Gateway and Spring boot custom authorization

I am currently working on one project where it requires the custom authentication process. This application will be deployed on AWS platform, in which I am considering to use below AWS services like

  1. API Gateway
  2. Custom Authorization
  3. EKS

The plan is to deploy all backend services in the docker containers and use EKS service for container orchestration process. All input request will be validated through API gateway and routed to the respective backend services.
We are going to use custom authorization process with below possible steps:

  1. Our application (say CHILD-APP) will be integrated with an existing application (say PARENT-APP), where the PARENT-APP will take care of the user authentication.
  2. On successful user authentication, the PARENT-APP will request the access token (JWT Token) to CHILD-APP.
  3. This access token will be used by CHILD-APP User Interface to make the backend request calls.
  4. We are using custom access token validation process to check the token integrity, the username validation and other additional validations (cannot be exposed due to compliances).
  5. Currently I am using the Spring Boot API Gateway for URL routings, and for access token validations.
  6. Also using custom Spring Cloud Eureka server to register the services.

Questions:

  1. How to use the AWS API Gateway for such custom authentication and authorization process?
  2. Can I use the Spring Cloud Eureka server and custom authorization along with the AWS API Gateway?

Any help related to this is appreciated.

Thanks,

Avinash

Solution

  • It seems like AWS Lambda Authorizers is something you're looking for: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html These are lambda functions which can be used to authorize access to your APIs at the gateway level.

    At Curity we have recently created such an authorizer which performs an introspection request to the Authorization Server to exchange an opaque token for a JWT: https://github.com/curityio/aws-phantom-token-lambda-authorizer It looks like you need something similar. Your authorizer could call the parent app, which will perform all the custom validations on the token and return a proper result, which then the AWS Lambda authorizer will use to make authorization decision.