Does AWS Identity Management have the concept of on-behalf-of tokens when authenticating to APIs "on behalf of" a user? I thought that this was a key part of the OAuth2.0 protocol. I can't find any resources on this in any of AWS docs. If one uses AWS IAM with, say, lambdas, is this taken care of for you? (that is, safely authenticating from service to service with tokens)
Asked
Active
Viewed 52 times
1 Answers
1
Microsoft's on behalf of flow is based on user assertions, which are defined in RFC7523. This is an extension to the core OAuth 2 0 specification. AWS Cognito does not currently support this standard.
A more common technique is to simply forward JWT access tokens between APIs. Each API then checks for the expected issuer and audience, and also its required scopes.
With lambdas this is not taken care of, since AWS serverless tech only validates access tokens in the AWS API gateway. As an alternative option it is possible to follow a zero trust model within each lambda, using a JWT library, eg in a middleware class. My code example shows one way to do this.
Gary Archer
- 22,534
- 2
- 12
- 24