How to set up an OAuth2 Authentication Provider with AWS API Gateway?

cosbor11 picture cosbor11 · Aug 26, 2015 · Viewed 54.4k times · Source

AWS has an API Gateway, that makes it pretty easy to set up, manage and monitor your API. However, the security authorization settings that you can set for resource methods is limited to AWS-IAM (which to my understanding is an internal vpn role?).

It seems that my research on this subject has been pointing me to setting up an AWS Cognito pool, but when I go to configure one in my aws console, the options for providers are: Amazon, Facebook, Google+, Twitter, OpenID, and Custom. I guess, in that case, I would use Custom? Then setup my own EC2 instance as an OAuth2 Authentication Provider Server.

Given that Oauth2 is so popular these days it surprises me that there isn't an AWS service for this; it seems they've gone the whole OpenId or SAML route instead. It also surprises me that there is a lack of guides on how to quickly setup an Oauth2 Provider in the cloud.

Any help would be appreciated.

Answer

Takahiko Kawasaki picture Takahiko Kawasaki · Nov 13, 2015

(1) Do you want to implement OAuth 2.0 endpoints (authorization endpoint and token endpoint) on API Gateway? In other words, do you really want to implement an OAuth 2.0 server (RFC 6749) on API Gateway?

(2) Or, do you want to protect your Web APIs implemented on API Gateway by OAuth 2.0 access token?

These two are completely different things.

Because it seems you wanted to select OAuth 2.0 instead of AWS-IAM, I guess what you wanted to do is (2). If so, you can find an example here: Amazon API Gateway + AWS Lambda + OAuth


Updated on 2016-Apr-6

On Feb 11, 2016, a blog entry of AWS Compute Blog, "Introducing custom authorizers in Amazon API Gateway", announced that Custom Authorizer had been introduced into Amazon API Gateway. Thanks to this mechanism, an API built on Amazon API Gateway can delegate validation of a Bearer token (such as an OAuth or SAML token) presented by a client application to an external authorizer.

How to protect APIs built on Amazon API Gateway by OAuth access tokens utilizing the new mechanism, Custom Authorier, is described in "Amazon APi Gateway Custom Authorizer + OAuth".


FYI:

OAuth 2.0 is a mechanism for authorization, not authentication. But people often use OAuth 2.0 for authentication and there are many software libraries and services using OAuth 2.0 for authentication.

Cognito (Identity) is a solution related to authentication, not authorization.

Custom in Cognito is a place to specify OpenID Connect Providers. OpenID Connect is a solution for authentication. What makes things complicated is "OpenID Connect is built on top of OAuth 2.0". See OpenID Connect site for details.