Reputation: 6888
Optional authorization for API Gateway
I'm building an API served by a lambda through API Gateway. I already integrated with a Cognito user pool authorizer for some admin endpoints, which blocks non authorized requests, but now I would like to add some endpoints that can be called by both authenticated and unauthenticated users (and return different data depending on authorization). For instance you can imagine GET /users would only return basic profile info for the users if the request is not authenticated, and more details if it is.
What is the best way to set this up with API Gateway?
Upvotes: 4
Views: 1500
Answers (2)
Reputation: 11449
When using Cognito you have following possible options
1) Cognito authorization
2) Lambda authorization : The advantage of using Lambda Function is that it can perform authorization processing other than verification of IdToken. For example, you can write processing according to your application, such as IP restrictions and allowing only specific user agents.
3) Inside your code write filter to intercept each request and response and manage your own role based authorization and return response as needed .
Upvotes: 1
Reputation: 2658
Option #1 (Prefer)
Please have 2 different endpoints
API X with GET https://api.xyz.com/users (Lambda User as back-end and Cognito as Authorizer)
API Y with GET https://api.xyz.com/public/users (Lambda User as back-end and without Cognito)
Lambda User needs to verify to see what response should be returned based on Header 'Authorization'. If 'authorized', return more detail, otherwise, return least detail.
Option #2
Please have 1 endpoint
API X with GET https://api.xyz.com/users (Lambda User as back-end without Cognito)
Lambda User needs to verify to see what response should be returned based on Header 'Authorization'. If 'authorized', return more detail, otherwise, return least detail.
The reason I prefer the first one because we can have a set of public APIs separately across our system for the long run. It also clear for all consumers. Easy for development and maintenance.
Upvotes: 4
Related Questions
- How to get validate Cognito Access Token in AWS Lambda to allow Gateway API call?
- AWS API Gateway ignores auth policy returned from the Custom Authorizer Lambda Function
- AWS ApiGateway Lambda Proxy access Authorizer
- AWS Cognito and API gateway using Lambda authorizer
- AWS API gateway authentication without using Cognito
- AWS Cognito and API Gateway Authentication
- API Gateway with Cognito User Pool Authorizer and Lambda
- AWS Gateway custom authorizer necessary when using AWS_IAM authorization in Method Request?
- Authorization for API Gateway to service already storing user credentials
- Securing access to AWS Lambda through API Gateway