Passing backend API Token to AWS API Gateway internally

Question

Can anyone please help me with this Use-case? Use-case : I've created the secure proxy for a private resource in the AWS API gateway. For private integration I've used VPClink and configured the Cognito pool authorizer. But the backend private API already have some Oauth2 token configured and I've separate API to generate the OAuth2 token. I don't want the end client to send both token via api gateway request, But want to internally pass the token which is already configured on the backend private rest API, via API Gateway.

For now I've created the proxy and I'm passing both tokens via request.

Note : I don't want to use lambda function.

For Example: You tried to hit the API Gateway Endpoints via postman with all the required parameters, now the request should first go to authenticator endpoint to generate the Oauth2 Token, Once token is generated the token should be passed internally to actual backend private resource to return the response.

Also, I want to know if it's the best approach to pass backend API token internally or we can pass both tokens i.e. Backend API Token and API Gateway authorizer token, via request.

Answer 1

It would be ideal if your question was put in terms of the exact oauth terminology. This video is really helps with understand oauth2.0 and OIDC: https://www.youtube.com/watch?v=996OiexHze0

I will try and make an attempt to answer your question with the terminology you have used (so hopefully there is no confusion).

I suggest generating the token required by the "actual backend private resource" using an intermediate layer.

So in your example: If you tried to hit the API Gateway endpoint via Postman, you should only pass the "API Gateway authorizer token". At this point, the intermediate layer will intercept this, and verify it. If all looks good, then this layer should generate the "backend API token" and pass it to the "actual backend private resource". You can generate the token in your intermediate layer using machine to machine authorization (https://auth0.com/blog/using-m2m-authorization/). You can achieve this in cognito by generating an app client with the Client credentials flow (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html).