0

I am trying to decide which aws apigateway version choose for my application (HTTP vs REST API gateway).

I am experimenting with AWS HTTP API gateway to see if it works fine for my use case.

These are my requirements:

  1. The only client is a mobile application
  2. The rest API can be accessed only from logged in users
  3. I want to use cognito with cognito authorizer
  4. My backend is a mix of lambda services and HTTP rest services exposed via an internal application load balancer

Everything seems to be supported, the only concern is that I would have used an api key, but this feature is not currently supported on HTTP API gateway.

Are there any security concern if I go for HTTP without any api key? What would be the right way to restrict the access only to requests coming from my mobile app?

user3849960
  • 120
  • 2
  • 11

1 Answers1

0

Everything seems to be supported, the only concern is that I would have used an api key, but this feature is not currently supported on HTTP API gateway.

HTTP APIs support OpenID Connect and OAuth 2.0 authorization https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api.html

If you have any custom api-key, you can still have an authorizer lambda to authenticate and authorize the client.

Are there any security concern if I go for HTTP without any api key?

What do you mean by the api-key? API-key is usually static shared secret used mostly in the backend application. Claiming the users need to be authenticated and using the mobile app, having a hardcoded api-key is not the best idea (read - it is a terrible idea)

Under these requirements the default option is using OAuth2/OIDC for user authorization and passing the user's access token along the API requests.

What would be the right way to restrict the access only to requests coming from my mobile app?

I want to use cognito with cognito authorizer

The simplest and built-in way is using the access token from Cognito and built-in JWT API authorizer. Yet you may configure any other option.

gusto2
  • 11,210
  • 2
  • 17
  • 36