This AWS blog talks about securing your API with mutual TLS. When I try to confgure a Lambda Custom Authorizer, I don't see able to get the client certificate from the context properties - it seems to be missing. Is there some configuration that we are missing? Does anyone have an example please?
The blog also says "In addition to the initial mutual TLS authentication via client certificate, you can use all existing API Gateway authorizer options. This includes JSON Web Tokens (JWT)/Cognito user pool authorizers, Lambda authorizers, and IAM-based authorization." Is someone able to offer guidance on using JWT)/Cognito user pool authorizers - in particular, how to pass the user identity to Cognito to get a JWT token? Or am I completely missing the point?
Thanks in advance, Kevin
Be aware that mTLS is configured by "Custom domain name" configuration and handled before the authorizer. The authorizer will get the client certificate information only if mTLS is enabled in the "Custom domain name" configuration. It will not have to verify the certificate, but can work with the certificate.
Also, traffic via the default endpoint cannot have mTLS checks, as it is not a custom domain name.
It might help you to think of mTLS and other authentications separately. You can have a JWT authentication token header within a mTLS connection. The API Gateway will handle the mTLS check and your authorization lambda can handle the JWT check.
Apart from that, I am not able to answer your second question more thoroughly and am not familiar enough with the StackOverflow rules to suggest to split them up. Maybe someone with Cognito expertise can edit an answer to the second question into this one.