How to protect APIs with JWT and API Gateway Lambda Authorizer

Mariano Calandra
The Startup

--

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a way for transmitting information – like authentication and authorization facts – between two parties: an issuer and an audience. Communication is safe because each token issued is digitally signed, so a consumer can verify if the token is authentic or has been forged.

In a previous story, we talk in depth about it: how it is built, what problems it solves, what is the theory behind signature’s validation and, finally, how we can protect our resource.

Fig. 1 — The classic flow of serverless authentication and authorization.

In that scenario, a client who wants to access a protected resource needs a JWT. Without it, the same client needs to contact the authentication server exchanging username and password for a brand new JWT (from steps 1 to 3 of Fig.1). With this token, it can eventually request the protected resource trough Amazon API Gateway, that has to validate it (from steps 4 to 6 of Fig.1).

By that article, we presented the theory but nothing has been said about a real implementation.

We need to fix it!
But first… a step back!

--

--

The Startup
The Startup

Published in The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +772K followers.

Mariano Calandra
Mariano Calandra

Written by Mariano Calandra

Mariano daily helps companies succeed using cloud and microservices. • AWS Authorized Instructor • AWS Community Builder • goto.calandra.me/support

Responses (3)