We are planning on setting up an AWS API Gateway. We also have a requirement that every call that hits our API gateway should go through a JWT token validation. We are using Okta as our IDP which will generate an access token.
We tried AWS REST API gateway which supports lambda authorizer but the problem we have with it is that lambda's are too slow and there is no way we can cache the JWKS URI and keys. We would get 1000's of requests within a second and lambda's does not work well here. Our goal is to achieve token validation within 2 digit milliseconds which is only possible if we are able to cache the JWKS public key and refetch it only when it is rotated. Please note we do not want to use the caching option of REST API to cache authorization.
We also tried AWS HTTP API which support JWT authorizer but even here we are getting only 3 digit millisecond performance like 500ms-700ms. The majority of the time is spent on fetching the OIDC metdata endpoint and fetching the public key from okta issuer endpoint.
Now, we know that the we could implement our own custom token validation (Authorizer) within one of our own REST API service (Using golang or nodejs) that will run always within an EC2 instance or fargate server within an ECS cluster or for simplicity just within an EC2 instance.
Does AWS API gateway by any chance allow some kind of custom hook where whichever endpoint on the gateway is invoked it should first invoke our custom REST API endpoint which is running in an EC2 instance and then once it gets a valid token response it should invoke the actual URL. Is this even possible? If not, what other options do we have.
Thanks
