By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Secure API with HttspProxy Integration behind ALB with AzureAd, Bypass will open the API for everyone

0

Usecase: Application behind ALB. This Application use its own API with Ingress routes. Everything behind the ALB is protected with AzureAD. Once AzureAD was authorized everything works in client browser.

To give externals Access to the API with a technical user, an ApiGateway was added with a Http Proxy Integration and an Cognito Authorization.

The HTTP Proxy Gateway use the same API Endpoints as the Ingress Routes. So validation with APIGateway work well but after this the AzureAD blocks with its Ingress ALB protection so no connection to the proxy routes. (302 Error)

Added Information: FInaly we need to have tow grants here. One "Authorization Grant" for human access with ALB. And one "Client Credential" grant for server to server communication. So the ApiGateway has a own entry point beside the ALB entry point.

I added now a rule to the ALB that checks the Bearer in Authorisation Header. If it is inside it will bypass around AzureAD.

But this will open the API to everyone, means I cannot validate the Bearer token itself I just look for the keyworld "Bearer". I cannot use Cognito to check this rule because I have client credentials and not outh activated.

How to solve this situation to get a secured infrastructure?

https://myapp.test.com/api/list/all commoningress rule

https://apigateway.endpoint/dev/list/all -> Will call https://myapp.test.com/api/list/all as Http Endpoint.

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayAmazon CognitoElastic Load Balancing
Language
English
Ognif
asked 22 days ago351 views
2 Answers
1

Separate Ingress Routes

Create separate ingress routes for the human-accessed API and the server-to-server API access. This will allow you to apply different authentication and authorization policies to each.

  • https://myapp.test.com/api/human/* - Use Azure AD for user authentication and authorization.
  • https://myapp.test.com/api/server/* - Use Client Credentials for server-to-server authentication.

Configure Azure AD for Client Credentials Flow

Set up an Azure AD application registration for your API Gateway to use the Client Credentials flow. This will allow your API Gateway to authenticate and authorize itself without the need for a user context.

  • Grant the necessary permissions to this Azure AD application to access the API.
  • Obtain the client ID and client secret for this application, which will be used by the API Gateway.

Implement API Gateway Authentication

Configure your API Gateway to use the Client Credentials flow when accessing the https://myapp.test.com/api/server/* endpoints. This will involve:

  • Obtaining an access token from Azure AD using the client ID and client secret.
  • Validating the access token and authorizing the request before forwarding it to the backend API.

Bypass Azure AD for Server-to-Server Communication

Since the API Gateway is using the Client Credentials flow, you can configure the ALB to bypass the Azure AD authentication for the https://myapp.test.com/api/server/* endpoints.

  • This can be done by adding a rule in the ALB that checks the request path and bypasses Azure AD authentication if the path matches the server-side API endpoints.

Secure the Bypass Rule

To ensure that the bypass rule doesn't open up the API to everyone, you can implement additional measures:

  • Restrict the bypass rule to only the specific IP ranges or network segments that the API Gateway is expected to use.
  • Implement additional validation in the API Gateway to ensure that the incoming requests are from the expected and authorized sources.
profile picture
EXPERT
Osvaldo Marte
answered 21 days ago
0

I'm sorry but I do not understand your architecture, but making some guesses, what I think you need is just to use API Gateway wit Cognito as the Authorizer, integrated with Azure Entra ID Enterprise Application as the OAuth authorization mechanism. Once the user has authenticated with Azure ID they will get the bearer token, and API GW will allow to "pass through" and call the backend system which will use the same token to provide access based on the scopes. So, my first though is that you need to move all the auth logic to APIGW + Cognito... the APP should only handle the scopes in the token.

Best,

profile pictureAWS
JuanEn_G
answered 22 days ago
  • Ognif
    22 days ago

    I think there is a missunderstanding. We need to have two grants, one for server communication and one for human communication. So finaly it is a must to have "Authorization Grant" and "Client Credentials". The problem is to make "Client Credentials" working if there is already a "Authorization Grant" inside the ALB for human access.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content