- Newest
- Most votes
- Most comments
You can use an Amazon API Gateway Authorizer to validate the JWT tokens obtained from Amazon Cognito.
An API Gateway Authorizer is a Lambda function that performs authentication and authorization checks before allowing the request to be passed to the microservices. It can be configured to accept a JWT token, validate it, and return an IAM policy document that specifies the permissions for the user making the request.
To set up an API Gateway Authorizer for JWT validation, you can follow these steps:
Create a new Lambda function that will serve as the Authorizer. This function will receive the JWT token in the Authorization header and will validate it using the Cognito SDK. If the token is valid, the function will return an IAM policy document that specifies the permissions for the user. If the token is not valid, the function will return an error.
Create an API Gateway REST API and define the endpoints for your microservices.
Create an Authorizer for your API. You can select the Lambda function you created in step 1 as the Authorizer.
Add the Authorizer to the endpoints that require authentication. When a client makes a request to one of these endpoints, API Gateway will call the Authorizer Lambda function to validate the JWT token before forwarding the request to the microservice.
By using an API Gateway Authorizer, you can centralize the authentication and authorization logic and avoid duplicating it in each microservice. This approach can also simplify your microservice code and reduce the risk of security vulnerabilities.
Here are some links that may be useful to you:
- API Gateway Authorizers: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
- Cognito JWT validation with API Gateway: https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/
- Tutorial on securing API Gateway with Cognito: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
Relevant content
- asked a month ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
While this is certainly the standard use case and flow for API Gateway, the OP is asking specifically about JWT validation using an ALB. ALB does integrate with Cognito User Pool, but it redirects unauthenticated requests to Cognito assuming that the client is a browser. If you implement a simple REST API backed by a Lambda behind an ALB (intentionally not using API Gateway as it's much lighter weight), and you invoke the API using Curl, the desired behavior is for ALB to either provide a go or no-go (401) check based on the signed JWT's properties before forwarding the request to the target group.