Driving API Gateway Services using AWS Cognito vs. Okta

By Abhishek Vajranabhaiah

In recent times, I was involved in a large-scale Pharma data-cloud implementation, where the challenge was to adopt cloud vs. other services for authentication and authorization services with a secured gateway.

We had a requirement to provide API access to our clients (public access over the internet). During this process, we have to choose between two solution options: (1) AWS Cognito and (2) the organization’s Okta solution.

We went through a journey where we did a comparative analysis of both authentication and authorization methods, aiming to determine the most suitable solution for our specific requirements.

AWS Cognito and Okta both function as identity management solutions. However, AWS Cognito offers seamless integration with AWS services, while Okta caters to multi-cloud environments with extensive third-party integrations. The challenge was to convince the customer to choose the right solution.

API Gateway Solution

The AWS REST API offers two authorization methods:

Lambda authorizer, which involves writing custom code to validate access/secret tokens and assess access roles to determine whether to permit or deny access to the API for subsequent execution.

Cognito Authorizer is a configuration-based integration with an API gateway that validates access tokens or roles generated by AWS Cognito.

Here, we’ll delve into both options for authenticating AWS APIs by utilizing access tokens generated through client credentials.

Okta Integration with AWS API gateway

As an initial step, create the OAuth setup and create app integrations to generate client IDs and secrets.

Steps involved in authenticating API using Okta:

1. Obtain the access token by providing client credentials to OKTA OAuth.
2. Pass the access token to the API.
3. Verify the access token using the lambda function and attach the lambda function as the lambda authorizer to API resource methods.
4. Evaluate the scope within the Lambda function to allow or deny access to the API for subsequent execution.

AWS Cognito integration with API Gateway

As an initial step, create the Cognito user pool and create app integrations to generate client IDs and secrets.

Steps involved in authenticating API using Cognito:

1. Obtain the access token by providing client credentials to Cognito OAuth.
2. Pass the access token to the API.
3. Configure resource methods to use the Cognito authorizer and add roles and scopes allowed to access the API.

Comparison

In summary, based on my point-of-view and implementation benefits, we went with the “AWS Cognito” solution over Okta with business benefits.