Reputation: 751
Do I need to verify a AWS Cognito token in BOTH Lambda AND as API Gateway?
When using a AWS Cognito attribute from a JWT token in a lambda, do I need to verify the JWT? The Lambda is only triggered by an API Gateway which already verifies the token.
Adding details: - I'm using Cognito Authorizer in the API Gateway to verify the token. - The lambda is connected to the API Gateway as proxy.
Upvotes: 1
Views: 1560
Answers (2)
Reputation: 2492
I ran into the same conundrum, and was trying to find documented confirmation that, within the Lambda, I wouldn't have to do any validation on my own, and that I can safely rely on the the token / claims being genuine. Unfortunately, nothing in the AWS documentation or the forum posts that I've seen so far has explicitly confirmed this.
But I did find something similar for GCP, and how the API Gateway there validates the JWT. From the GCP documentation:
To authenticate a user, a client application must send a JSON Web Token (JWT) in the authorization header of the HTTP request to your backend API. API Gateway validates the token on behalf of your API, so you don't have to add any code in your API to process the authentication. However, you do need to configure the API config for your gateway to support your chosen authentication methods.
API Gateway validates a JWT in a performant way by using the JWT issuer's JSON Web Key Set (JWKS). The location of the JWKS is specified in the x-google-jwks_uri field of the gateway's API config. API Gateway caches the JWKS for five minutes and refreshes it every five minutes.
So, it seems that within GCP at least, we don't have to do anything, and the API Gateway will handle everything. Even though this is not a confirmation that this is how it works in AWS as well, but the fact that this is how it works in GCP, it gives me some more confidence in assuming that it must be so in AWS too.
Upvotes: 2
Reputation: 3992
No you don't need to verify the JWT in backend lambda if protected by a custom lambda authorizer by API Gateway. I would suggest you to use REQUEST based lambda authorizer and attach attributes in the response. So your backend lambda will be able to access attributes in event.requestContext.authorizer['your_attribue'].
This will also enable you to test your Lambda in isolation without needing to get attribute from JWT. You can always mock the event object for unit testing.
Upvotes: 3
Related Questions
- Authentication with Lambda and AWS Cognito
- How to get validate Cognito Access Token in AWS Lambda to allow Gateway API call?
- AWS API-Gateway Cognito Authorizer not working with a valid Token
- Using Cognito for REST API authentication
- How to pass cognito authentication token in the headers through api gateway to a lambda function
- AWS Cognito and API gateway using Lambda authorizer
- AWS API gateway authentication without using Cognito
- AWS Cognito and API Gateway Authentication
- Which credentials to use in API Gateway's Lambda to access other AWS services
- Securing access to AWS Lambda through API Gateway