Lambda Authorizer with API Key enabled on API Gateway



I am trying to develop a Lambda Authorizer to be able to auth both JWT tokens and API Keys. I am now currently using the Token as the Lambda event payload. The API Key is now encoded as a Basic Token and put at Authorization header. With API Gateway enabled, I put the API Key at UsageIdentifierKey field in the response from Lambda Authorizer to API Gateway. However, it seems like there is no way for API Gateway to automatically map the API Key to its ID and pass both of them to my backend service. Is there a way to make this mapping happen at API Gateway?

An alternative way I have explored is that by putting the API Key at the x-api-key header, API Gateway will do the automatic mapping to pass both API Key and API Key ID to the backend service. In this way, I have to use Request as the Lambda event payload to make the Lambda authorizer be able to auth both JWT token and API Key. However, the problem is the setup for Identity Sources. Since JWT Token is put at Authorization header and API Key will be put at x-api-key header. I have to put both of them as the Identity Sources. But based on the document, all the sources specified as the Identity Sources must not be empty or null or nil. And also, I think it's related to cache of the auth. If I go with this way, Is there a way to make the Identity Sources be like at least one of them must be not empty instead of all of them?

Thanks. Jia

1 Answer

I am not sure what exactly you are trying to do. If you select Token, how can you authorize both the API Key and the JWT? If you place the API Key in the Authorization header, where is the JWT token?

If you need to verify 2 headers you should use the Request payload type. The IdentitySource is used for caching in this case. You do not need to specify both of them if they will not always be provided in the request.

What do you mean by: "map the API Key to its ID"? The value returned from the Lambda Authorizer should be the API Key as known to API Gateway so that it can use it for throttling, etc. The API Key ID, is just an internal identifier that should not mean anything to the backend.

profile pictureAWS
answered 2 years ago
  • Thanks Uri.

    Currently, we are using Token for Lambda Authorizer. If the API call is made by an End User, a JWT Token 'Bearer xxxx' will be put to Authorization header. If the API call is made by a Server, a Basic Token 'Basic xxxx' will be put to Authorization header. And the value of the Basic Token will be the encoded API Key with its ID.

    If we use Request for Lambda Authorizer. It will become if the API call is made by an End User with a JWT Token 'Bearer xxx', the token will be put to Authorization header. If the API call is made by a Server, the API Key will be put at x-api-key header. So it's alway one and only one of the two headers will present in the request. How should we select the Identity resource?

    The API Key ID is helping us to do the association with UsagePlans from backend.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions