How to authenticate user in AWS Custom authorizer?

Question

I'm trying to use AWS custom authorizer in API Gateway. If I understood correctly, then I should authenticate user in custom authorizer. I don't know who sends the request. I should detect the user by token using my own services. Right?

Answer 1

Just wanted to add my 2 cents here, here is the flow :

1. Once the bearer token (you can use JWT as well), is issued to the client (i.e. mobile app/web app), the client invokes REST API created, configured and deployed through API Gateway.

2. The custom authorizer, which is a lambda function written in Java (you can implement it using NodeJS, C#, Python), would need to verify if the bearer token is valid. In my case, Bearer token is hashed using the SHA-512 algorithm. So we basically match if the token stored in DB and the token presented by the client matche.

3. If the token matches then, custom authorizer returns IAM policy Allow but it token is not correct then it returns IAM policy Deny,

The API gateway reacts based on the response from custom authorizer, if the policy is allow it passthrough the call to backend else it would return HTTP code 403.

Hope it would help.

Answer 2

There are multiple authorizer options available

• IAM authorizer
• Cognito authorizer
• Custom authorizer

If you use STS issued token to grant access to your AWS resources then you can use IAM.

Similarly Cognito authorizer is to authenticate the Cognito Userpools id token.

If you have your own authentication scheme or need customize authentication mechanism, you can use Custom authorizer.