Securing Your Private API Endpoints with AzureAD Authentication and AWS API Gateway JWTAuth

Protect your API resources with robust authentication using AzureAD and AWS API Gateway’s JWT authorization capabilities.

How it works

1. User Authentication in AzureAD:

• Users first sign in to their Azure Active Directory (AzureAD) account, where they're verified for identity and authorization.
• Upon successful authentication, AzureAD issues a unique access token to the user. This token acts as their secure access key for subsequent API calls.

2. API Request with Access Token:

• When a user attempts to access API resources through AWS API Gateway, they include the received access token in the Authorization header of their API request.

3. API Gateway’s Authorization Check:

• API Gateway intercepts the incoming request and validates the access token using a dedicated JWT authorizer.
• This authorizer verifies:
  - The token's authenticity and validity.
  - The user's permissions to access the specific API endpoint.

4. Access Granted to Authorized Users:

• If the token is valid and the user has the necessary permissions, API Gateway grants access to the private API endpoint.
• The API endpoint can then process the request and return the appropriate response to the user.

Implementation Steps

1. Azure App Registrations

Goto Azure Portal and create App Registrations. In this step you should get Application ID URI which look like api://xxxxxxx

2. App Registration Endpoints

Click “Endpoints” and make a copy of OpenID Connection metadata document(red color only)

3. Attach the Authorizer to the AWS API Gateway

Goto AWS API Gateway Console. Navigate to the Authorization section then click Add Authorizer button linked to the selected route that needs protections and tehn provide authorizer details below.

Verify Result

Make an authentication with AzureAD to get accesstoken and then call API Gateway to verify the result.

1. Request without authorization header.

2. Request with valid authorization header.