0

I have setup an AWS Lambda function using this tutorial. I incorporated AWS API Gateway with my Lambda function using this other tutorial. The second tutorial gave the code below (A) for the lambda function to accept tokens. For testing purposes, I successfully used Postman and passed in "allow/deny/unauthorized" in the header to access different parts of the lambda function.

My question is how can I incorporate real tokens into API Gateway/AWS Lambda? I see in the comments (in the code block below - A) it states " // Call oauth provider, crack jwt token, etc. ". I am not sure how to do so.... I have been searching online for examples of this (because this most be a common thing people do right?) and have not been able to find a solid example of this. Any help would be greatly appreciated! Excuse my limited knowledge on this subject.

My end goal is to :

  1. Have unauthenticated users from a mobile app hit the API Gateway endpoint that would then call my lambda function to validate the token.
  2. If the token has been validated, another lambda function will be called to do stuff.

    exports.handler = function(event, context) {
    var token = event.authorizationToken;
    // Call oauth provider, crack jwt token, etc.
    // In this example, the token is treated as the status for simplicity.

    switch (token) {
        case 'allow':
            context.succeed(generatePolicy('user', 'Allow', event.methodArn));
            break;
        case 'deny':
            context.succeed(generatePolicy('user', 'Deny', event.methodArn));
            break;
        case 'unauthorized':
            context.fail("Unauthorized");
            break;
        default:
            context.fail("error dawg");
    }
    };

    var generatePolicy = function(principalId, effect, resource) {
      var authResponse = {};
      authResponse.principalId = principalId;
      if (effect && resource) {
          var policyDocument = {};
          policyDocument.Version = '2012-10-17'; // default version
          policyDocument.Statement = [];
          var statementOne = {};
          statementOne.Action = 'execute-api:Invoke'; // default action
          statementOne.Effect = effect;
          statementOne.Resource = resource;
          policyDocument.Statement[0] = statementOne;
          authResponse.policyDocument = policyDocument;
      }
      return authResponse;
   }
Improve this question
2
  • What is your provider? While OAuth is a 'standard', many implement it differently, so specifying what system is generating your tokens will help people suggest methods for validating it. Commented Jul 19, 2016 at 1:07
  • Sorry that I was unclear in my question, but I was hoping to get pointed to some nice examples / see an example of this. I know very little on this subject. Maybe I am thinking too much of tokens working with AWS and rather I should first read about tokens? Commented Jul 19, 2016 at 1:25

1 Answer 1

Reset to default
3

Examples:

  1. Example using a self-encoded access token
    Introducing custom authorizers in Amazon API Gateway (AWS Compute Blog)

  2. Example using an unrealistic access token
    Enable Amazon API Gateway Custom Authorization (AWS Documentation)

  3. Example using an external authorization server
    Amazon API Gateway Custom Authorizer + OAuth (Authlete)

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you! The first link is very helpful. I have a couple more questions... 1) Is it a good idea to use JWT to validate unauthenticated users? 2) If JWT is the route to go, how can I generate a new token for the user? I have read here that tokens need to be reissued.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.