Learn the best solution for integrating a third-party identity provider with AWS API Gateway to enable user authorization for a production web application. Detailed explanation of configuring a Lambda authorizer and updating the web app.
Table of Contents
Question
A company is using AWS to develop and manage its production web application. The application includes an Amazon API Gateway HTTP API that invokes an AWS Lambda function. The Lambda function processes and then stores data in a database.
The company wants to implement user authorization for the web application in an integrated way. The company already uses a third-party identity provider that issues OAuth tokens for the company’s other applications.
Which solution will meet these requirements?
A. Integrate the company’s third-party identity provider with API Gateway. Configure an API Gateway Lambda authorizer to validate tokens from the identity provider. Require the Lambda authorizer on all API routes. Update the web application to get tokens from the identity provider and include the tokens in the Authorization header when calling the API Gateway HTTP API.
B. Integrate the company’s third-party identity provider with AWS Directory Service. Configure Directory Service as an API Gateway authorizer to validate tokens from the identity provider. Require the Directory Service authorizer on all API routes. Configure AWS IAM Identity Center as a SAML 2.0 identity Provider. Configure the web application as a custom SAML 2.0 application.
C. Integrate the company’s third-party identity provider with AWS IAM Identity Center. Configure API Gateway to use IAM Identity Center for zero-configuration authentication and authorization. Update the web application to retrieve AWS Security Token Service (AWS STS) tokens from IAM Identity Center and include the tokens in the Authorization header when calling the API Gateway HTTP API.
D. Integrate the company’s third-party identity provider with AWS IAM Identity Center. Configure IAM users with permissions to call the API Gateway HTTP API. Update the web application to extract request parameters from the IAM users and include the parameters in the Authorization header when calling the API Gateway HTTP API.
Answer
A. Integrate the company’s third-party identity provider with API Gateway. Configure an API Gateway Lambda authorizer to validate tokens from the identity provider. Require the Lambda authorizer on all API routes. Update the web application to get tokens from the identity provider and include the tokens in the Authorization header when calling the API Gateway HTTP API.
Explanation
The company already uses a third-party identity provider that issues OAuth tokens, so the most straightforward and integrated approach is to leverage that existing identity provider for the API Gateway authorization.
API Gateway supports Lambda authorizers (previously known as custom authorizers) that allow using a Lambda function to validate incoming tokens and control access to the API. The Lambda authorizer can be configured to validate the OAuth tokens issued by the third-party identity provider.
To implement this solution:
- Integrate the third-party identity provider with API Gateway by configuring an API Gateway Lambda authorizer. The Lambda authorizer function will receive the OAuth token, validate it against the identity provider, and return an IAM policy that either allows or denies access to the API.
- Enable the Lambda authorizer on all routes of the API Gateway HTTP API. This ensures that all incoming requests to the API will first be validated by the authorizer before being passed to the backend Lambda function.
- Update the web application to obtain OAuth tokens from the third-party identity provider. The application should include these tokens in the Authorization header when making requests to the API Gateway HTTP API.
When API Gateway receives a request, it will invoke the Lambda authorizer, passing the OAuth token. The authorizer validates the token and returns an allow or deny policy. If allowed, API Gateway will then invoke the backend Lambda function to process the request and interact with the database.
This approach provides a seamless integration between the existing identity provider and API Gateway, enabling granular user authorization for the web application. It leverages the company’s current OAuth setup, minimizing changes required to the identity infrastructure.
The other options are not suitable because:
- Option B suggests using Directory Service, but the requirement is to integrate with the existing third-party identity provider, not introduce a new one.
- Options C and D mention using IAM Identity Center (successor to Single Sign-On), but again, the goal is to utilize the current third-party identity provider directly with API Gateway.
Therefore, option A provides the most integrated and efficient solution by configuring an API Gateway Lambda authorizer to validate tokens from the company’s existing third-party identity provider.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.