11

In AWS API Gateway,
- We can set up a resource to reqiure API Key for access.
- We can also set up another resource to require Authorization (e.g. JWT token, handled via a lambda function or AWS Cognito).

The question: can we configure a resource to be accessible in either of the above two situations? Currently, if we enable "API Key Required" and "Authorization" simultaneously, the request needs both the API Key and the Authorization. We were hoping for it to pass with only one of the two.

Hack/workaround: Create two copies of the same resource, and authorize each separately, one with API Key and the other one with an authorizer.

Amir
  • 2,259
  • 1
  • 19
  • 29
  • 2
    Hello, I have the exact same case and I am struggling with it for a few hours so far. Could you please tell me how you solved it? Many-many thanks in advance. I see your hack/workaround but maybe you figured out how it can be achieved using one resource? – Vladyslav Turak Sep 06 '20 at 13:54
  • 2
    I implemented a lambda function and used that as the authorizer. That gave me enough flexibility to have all kinds of JWT authorization as well apikey authentication. – Amir Sep 09 '20 at 06:13

2 Answers2

5

Authentication, Identification, Authorization are intertwined concepts. As I got more educated on Auth, here is my answer:

  • API Keys are used for project/application identification and authorization
  • JWT are used for user authentication and authorization.
  • API Key is on project/application scope and JWT is on user scope. In other words, API Key only identifies the application, not the user of the application.

Accordingly, it makes sense not to authorize the same endpoint with both JWT and API Key as it would reduce the governance granularity for users and applications. But, if you have a usecase that requires that type of authorization, the suggested workaround could work.

Amir
  • 2,259
  • 1
  • 19
  • 29
2

Let authorizer generate/map the API key for you

You have a Lambda authorizer return the API key as part of the authorization response. For more information on the authorization response, see Output from an Amazon API Gateway Lambda authorizer.

Pros:

  • Single end-point

  • API key is more for usage plan than authorization. Keep it that way.

Cons:

  • Authorizer will run on each request. Which cost money
qkhanhpro
  • 4,371
  • 2
  • 33
  • 45
  • We are using cognito for authorization. How do you suggest we integrate cognito with lambda authorizer? Wouldn't this be too much complexity/redundency? – Amir Jun 10 '20 at 20:16
  • The reason we are using API Key for authorization: we have some internal services where we don't want to go through the Login and getting the JWT process. So, we are using API Key instead. – Amir Jun 10 '20 at 20:18
  • By "using cognito for authorization", what I understand is that you obtained the cognito's identity token or access token and provided it into the Authorization header for the request that is sent to APIGW. If this is the case you will need to remove the cognito automatic auth on API GW and handle it manually with Lambda. It is not particularly hard but yes, It does add more complexity. – qkhanhpro Jun 11 '20 at 03:02
  • @qkhanhpro, hey, thanks for your answer. I just cannot understand how I can verify Cognito's identity token in my custom Lambda authorizer. I do not know how Cognito decoded this token. So, how can I handle it manually? How can I create a signature to verify a token? When I was creating an app client in my User Pool, I unchecked "Generate client secret" because I make calls from my web app directly and "Cognito" authorizer checks everything. Maybe, in a case when I want to verify it manually, I need to have this value? Or this client secret serves another purpose? Thank you. – Vladyslav Turak Sep 06 '20 at 14:06
  • 1
    @VladyslavTurak the same way with all JWT Tokens. But there is some sample code with documentation provided by AWS here https://github.com/awslabs/aws-support-tools/tree/master/Cognito/decode-verify-jwt – qkhanhpro Sep 06 '20 at 16:15
  • The Authorizer has a caching system, so if we try to authorize an Application using the API Token within the Authorizer (along with the main purpose of the Authorizer), wouldnt that be cached? Therefore not every call invokes the Authorizer (it wouldnt be that bad in regards to cost of Authorizer) – shwz Aug 19 '22 at 19:16