AWS Gateway API authentication with users stored in DynamoDB

Question

I'm trying to implement the following scheme:

with Angular SPA on the frontend and Gateway API + lambda functions on the backend

Since my app requires authentication, there will be /auth endpoint checking user credentials (users are stored in DynamoDB) and returning auth tokens (JWT) in case of success. Client will have to send auth tokens with every request to backend, and my lambda functions will have to validate those tokens.

This scheme looks good, but I'm wondering can it be changed somehow so that responsibility to check tokens is moved out of lambda functions (lambdaAction on the picture above)?

I have seen tutorials of using third-party services like Auth0 with authentication taking place in Gateway API, before any lambda functions (see the link for example) But I can't figure out how to use those services with users stored in my own DB.

So, my question, in short: is it possible to use Gateway API with token-based authentication with users stored in my database

Answer 1

In addition to Mark B's answer.

I wrote a generic Custom Authorizer that works with Auth0 a the 3rd-party Single-Sign-On service.

As part of the Authentication, it will optionally store the Auth0 user data to DynamoDB.

Library can be found here https://github.com/jghaines/lambda-auth0-authorizer

Answer 2

The Auth0 example still uses a Lambda function to validate the JWT on each request. API gateway isn't going to validate JSON Web Tokens automatically, you have to provide a Lambda function to do that.

I would look into using the new API Gateway Custom Authorizers feature. This way you can have a single Lambda function that is responsible for validating the JWT for each request. This keeps your authentication code encapsulated in a single function instead of duplicated in every single Lambda function. It also allows you to do authentication in Lambda while the actual API endpoint may be pointing to something other than Lambda.