Package software.amazon.awscdk.services.apigatewayv2.authorizers

AWS APIGatewayv2 Authorizers

See: Description

Interface Summary

Interface	Description
HttpJwtAuthorizerProps	(experimental) Properties to initialize HttpJwtAuthorizer.
UserPoolAuthorizerProps	(experimental) Properties to initialize UserPoolAuthorizer.

Class Summary

Class	Description
HttpJwtAuthorizer	(experimental) Authorize Http Api routes on whether the requester is registered as part of an AWS Cognito user pool.
HttpJwtAuthorizer.Builder	(experimental) A fluent builder for HttpJwtAuthorizer.
HttpJwtAuthorizerProps.Builder	A builder for HttpJwtAuthorizerProps
HttpJwtAuthorizerProps.Jsii$Proxy	An implementation for HttpJwtAuthorizerProps
HttpUserPoolAuthorizer	(experimental) Authorize Http Api routes on whether the requester is registered as part of an AWS Cognito user pool.
HttpUserPoolAuthorizer.Builder	(experimental) A fluent builder for HttpUserPoolAuthorizer.
UserPoolAuthorizerProps.Builder	A builder for UserPoolAuthorizerProps
UserPoolAuthorizerProps.Jsii$Proxy	An implementation for UserPoolAuthorizerProps

Package software.amazon.awscdk.services.apigatewayv2.authorizers Description

AWS APIGatewayv2 Authorizers

---

The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.

Table of Contents

• Introduction
• HTTP APIs
  • Default Authorization
  • Route Authorization
• JWT Authorizers
  • User Pool Authorizer

Introduction

API Gateway supports multiple mechanisms for controlling and managing access to your HTTP API. They are mainly classified into Lambda Authorizers, JWT authorizers and standard AWS IAM roles and policies. More information is available at Controlling and managing access to an HTTP API.

HTTP APIs

Access control for Http Apis is managed by restricting which routes can be invoked via.

Authorizers, and scopes can either be applied to the api, or specifically for each route.

Default Authorization

When using default authorization, all routes of the api will inherit the configuration.

In the example below, all routes will require the manage:books scope present in order to invoke the integration.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object authorizer = HttpJwtAuthorizer.Builder.create()...
         .build();
 
 Object api = HttpApi.Builder.create(stack, "HttpApi")
         .defaultAuthorizer(authorizer)
         .defaultAuthorizationScopes(asList("manage:books"))
         .build();
 

Route Authorization

Authorization can also configured for each Route. When a route authorization is configured, it takes precedence over default authorization.

The example below showcases default authorization, along with route authorization. It also shows how to remove authorization entirely for a route.

• GET /books and GET /books/{id} use the default authorizer settings on the api
• POST /books will require the [write:books] scope
• POST /login removes the default authorizer (unauthenticated route)

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object authorizer = HttpJwtAuthorizer.Builder.create()...
         .build();
 
 Object api = HttpApi.Builder.create(stack, "HttpApi")
         .defaultAuthorizer(authorizer)
         .defaultAuthorizationScopes(asList("read:books"))
         .build();
 
 api.addRoutes(Map.of(
         (SpreadAssignment ...
           path
           path), "/books", ,
         "method", "get"));
 
 api.addRoutes(Map.of(
         (SpreadAssignment ...
           path
           path), "/books/{id}", ,
         "method", "get"));
 
 api.addRoutes(Map.of(
         (SpreadAssignment ...
           path
           path), "/books", ,
         "method", "post",
         "authorizationScopes", asList("write:books")));
 
 api.addRoutes(Map.of(
         (SpreadAssignment ...
           path
           path), "/login", ,
         "method", "post",
         "authorizer", new NoneAuthorizer()));
 

JWT Authorizers

JWT authorizers allow the use of JSON Web Tokens (JWTs) as part of OpenID Connect and OAuth 2.0 frameworks to allow and restrict clients from accessing HTTP APIs.

When configured, API Gateway validates the JWT submitted by the client, and allows or denies access based on its content.

The location of the token is defined by the identitySource which defaults to the http Authorization header. However it also supports a number of other options. It then decodes the JWT and validates the signature and claims, against the options defined in the authorizer and route (scopes). For more information check the JWT Authorizer documentation.

Clients that fail authorization are presented with either 2 responses:

• 401 - Unauthorized - When the JWT validation fails
• 403 - Forbidden - When the JWT validation is successful but the required scopes are not met

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object authorizer = HttpJwtAuthorizer.Builder.create()
         .jwtAudience(asList("3131231"))
         .jwtIssuer("https://test.us.auth0.com")
         .build();
 
 Object api = new HttpApi(stack, "HttpApi");
 
 api.addRoutes(Map.of(
         "integration", HttpProxyIntegration.Builder.create()
                 .url("https://get-books-proxy.myproxy.internal")
                 .build(),
         "path", "/books",
         "authorizer", authorizer));
 

User Pool Authorizer

User Pool Authorizer is a type of JWT Authorizer that uses a Cognito user pool and app client to control who can access your Api. After a successful authorization from the app client, the generated access token will be used as the JWT.

Clients accessing an API that uses a user pool authorizer must first sign in to a user pool and obtain an identity or access token. They must then use this token in the specified identitySource for the API call. More information is available at using Amazon Cognito user pools as authorizer.

 // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
 Object userPool = new UserPool(stack, "UserPool");
 Object userPoolClient = userPool.addClient("UserPoolClient");
 
 Object authorizer = HttpUserPoolAuthorizer.Builder.create()
         .userPool(userPool)
         .userPoolClient(userPoolClient)
         .build();
 
 Object api = new HttpApi(stack, "HttpApi");
 
 api.addRoutes(Map.of(
         "integration", HttpProxyIntegration.Builder.create()
                 .url("https://get-books-proxy.myproxy.internal")
                 .build(),
         "path", "/books",
         "authorizer", authorizer));