AWS API Gateway Full OAuth/OIDC Authorization code flow
New here? Learn about Bountify and follow @bountify to get notified of new bounties! x

I would like a solution for how to configure AWS API Gateway to support Full OAuth/OIDC Authorization code flow with an OAuth provider (e.g. Cognito, Google, Github, OneLogin etc - they all adhere to the same OAuth/OIDC spec). This needs to include the login flow - see below for details.

I know AWS has recently released some enhancements to API Gateway and the AWS API Gateway now supports authorizers (Lambda/Cognito) but these only validate a JWT if present and return a YES(200)/No(401) decision; but they don't redirect to the OAuth provider for Login.

The two main flows that I want to support are -

  1. When the API gateway receives a request and the request already has a valid JWT token in header, then let the user through (I can use authorizer for this - not a problem)
  2. When the API gateway receives a request and the request does not provide a JWT token or the token is expired/tampered, I would like to redirect the user to the OAuth providers sign on page (Cognito/Other OAuth provider) so that the user can login with 2FA. Once the login is complete, the OAuth provider sends a code back (this is Authorization code flow). The API gateway needs to be plugged in somehow to exchange this code for an access token; and then let the user through to the resource/backend. This would also have to set a JWT in the cookie/header so that subsequent requests from the user are automatically authenticated and user is not prompted to login again until their cookie session expires or the tokens in the JWT are expired.

I don't need a working POC solution but an architectural pattern to address this requirement. I am happy to offer tips for the right solution(s) on top of the bounty.

have you configured the API gateway? also what front end client you're looking for?
Chlegou 6 days ago
The frond end client is a standard desktop browser. I have an API Gateway with a lambda backend that works without the OAuth flow i.e. you can access the API Gateway stage URL without any authentication and I now need to protect it with the full OAuth login flow. Hope that clarifies it.
sgutha 6 days ago
so what i understood, you only have to secure your backend, without need of frontend client. to do that, this tutorial should help you out setting the authorization. link: https://medium.com/@awskarthik82/part-2-securing-aws-api-gateway-using-aws-cognito-oauth2-scopes-and-openid-connect-f20fd1392e97 . And After that, you should use postman instead, to concat the bearer token in the header since this action couldn't be done in browser. link: https://www.postman.com/
Chlegou 6 days ago
don't forget to check part 1 of the medium article: https://medium.com/@awskarthik82/part-1-securing-aws-api-gateway-using-aws-cognito-oauth2-scopes-410e7fb4a4c0 . Try it out, and if you need help, contact me privately and i will help you out doing it and setting the environment for you.
Chlegou 6 days ago
Thanks @Chlegou, I've seen those articles as part of my research over the last few weeks but they don't help as I need the full flow working from browser - including the login part. The authorization codes are only valid for a very short time like 30 to 60 seconds; so to go to 500 business users and ask them to get the code from the browser URL, then use postman to exchange code for a token within 60s and then modify headers (using say a chrome extension) to access a site (CNAME'd to api gateway endpoint) is impractical. Plus they'd have to do this everytime the access token expires; and for every site (each api endpoint is a different OAuth application so it's client id is different and it's token can't be used by another endpoint)
sgutha 6 days ago
If it helps, I am looking for something at the API Gateway level that works similarly to how the OAuth authentication feature works at AWS ALB. Ref: https://aws.amazon.com/blogs/aws/built-in-authentication-in-alb/ With a little bit of config, this takes care of redirecting to the OAuth provider login page, receiving the auth code, exchanging it for an access token, setting up the relevant cookies, taking care of exchanging refresh token for new access tokens etc.
sgutha 6 days ago
understood. if i found something helpful i will let you know. thanks
Chlegou 6 days ago

Crowdsource coding tasks.

1 Solution


You can check out https://aws.amazon.com/blogs/compute/announcing-http-apis-for-amazon-api-gateway/ but it's in previe mode not in all regions :P
if not that, write lambda to support your logic or cognito user pool.
Cognito user pool would be a good use case support, you can maintain a login page and just dump everybody to denied that isn't logged in.
I know Identity federators can save federated user information in a pool but how API Gateway will behave is not much known to me. I guess custom authorizer would need to be created anyway
Would want to see this HTTP API in action

Hi @neoforyalll, as mentioned in my post, I have explored the recent enhancements to the API Gateway. The HTTP API for the gateway offers JWT authorizers - it requires things such as client id, issuer etc to verify that the JWT is signed by the issuer and is meant for the particular client id; but it does not help with redirection back to the OAuth providers login page when the JWT is missing or has expired. Instead it throws a 401. Take bountify for example, it offers sign in through github. Once a user signs in through github, they get an access token; and can continue logged in in bountify until the token expires. After that bountify asks the user to login again through github and takes them to the github login page; but doesn't present a 401.
sgutha 6 days ago
In continuation to the previous comment, cognito user pools are good. I can create a custom authorizer based on the cognito user pool and use that as authorizer for method request in API Gateway. This all works well when the JWT token already exists in header. It's the login flow i.e. full end to end OAuth flow that I can't get to work with the AWS API Gateway.
sgutha 6 days ago