Namespace Amazon.CDK.AWS.APIGatewayv2.Authorizers

AWS APIGatewayv2 Authorizers

--- End-of-Support 
AWS CDK v1 has reached End-of-Support on 2023-06-01.
This package is no longer being updated, and users should migrate to AWS CDK v2.

For more information on how to migrate, see the Migrating to AWS CDK v2 guide.

Table of Contents

    Introduction

    API Gateway supports multiple mechanisms for controlling and managing access to your HTTP API. They are mainly classified into Lambda Authorizers, JWT authorizers and standard AWS IAM roles and policies. More information is available at Controlling and managing access to an HTTP API.

    HTTP APIs

    Access control for Http Apis is managed by restricting which routes can be invoked via.

    Authorizers and scopes can either be applied to the api, or specifically for each route.

    Default Authorization

    When using default authorization, all routes of the api will inherit the configuration.

    In the example below, all routes will require the manage:books scope present in order to invoke the integration.

    using Amazon.CDK.AWS.APIGatewayv2.Authorizers;


var issuer = "https://test.us.auth0.com";
var authorizer = new HttpJwtAuthorizer("DefaultAuthorizer", issuer, new HttpJwtAuthorizerProps {
    JwtAudience = new [] { "3131231" }
});

var api = new HttpApi(this, "HttpApi", new HttpApiProps {
    DefaultAuthorizer = authorizer,
    DefaultAuthorizationScopes = new [] { "manage:books" }
});

    Route Authorization

    Authorization can also configured for each Route. When a route authorization is configured, it takes precedence over default authorization.

    The example below showcases default authorization, along with route authorization. It also shows how to remove authorization entirely for a route.

      using Amazon.CDK.AWS.APIGatewayv2.Authorizers;
using Amazon.CDK.AWS.APIGatewayv2.Integrations;


var issuer = "https://test.us.auth0.com";
var authorizer = new HttpJwtAuthorizer("DefaultAuthorizer", issuer, new HttpJwtAuthorizerProps {
    JwtAudience = new [] { "3131231" }
});

var api = new HttpApi(this, "HttpApi", new HttpApiProps {
    DefaultAuthorizer = authorizer,
    DefaultAuthorizationScopes = new [] { "read:books" }
});

api.AddRoutes(new AddRoutesOptions {
    Integration = new HttpUrlIntegration("BooksIntegration", "https://get-books-proxy.myproxy.internal"),
    Path = "/books",
    Methods = new [] { HttpMethod.GET }
});

api.AddRoutes(new AddRoutesOptions {
    Integration = new HttpUrlIntegration("BooksIdIntegration", "https://get-books-proxy.myproxy.internal"),
    Path = "/books/{id}",
    Methods = new [] { HttpMethod.GET }
});

api.AddRoutes(new AddRoutesOptions {
    Integration = new HttpUrlIntegration("BooksIntegration", "https://get-books-proxy.myproxy.internal"),
    Path = "/books",
    Methods = new [] { HttpMethod.POST },
    AuthorizationScopes = new [] { "write:books" }
});

api.AddRoutes(new AddRoutesOptions {
    Integration = new HttpUrlIntegration("LoginIntegration", "https://get-books-proxy.myproxy.internal"),
    Path = "/login",
    Methods = new [] { HttpMethod.POST },
    Authorizer = new HttpNoneAuthorizer()
});

      JWT Authorizers

      JWT authorizers allow the use of JSON Web Tokens (JWTs) as part of OpenID Connect and OAuth 2.0 frameworks to allow and restrict clients from accessing HTTP APIs.

      When configured, API Gateway validates the JWT submitted by the client, and allows or denies access based on its content.

      The location of the token is defined by the identitySource which defaults to the http Authorization header. However it also supports a number of other options. It then decodes the JWT and validates the signature and claims, against the options defined in the authorizer and route (scopes). For more information check the JWT Authorizer documentation.

      Clients that fail authorization are presented with either 2 responses:

        using Amazon.CDK.AWS.APIGatewayv2.Authorizers;
using Amazon.CDK.AWS.APIGatewayv2.Integrations;


var issuer = "https://test.us.auth0.com";
var authorizer = new HttpJwtAuthorizer("BooksAuthorizer", issuer, new HttpJwtAuthorizerProps {
    JwtAudience = new [] { "3131231" }
});

var api = new HttpApi(this, "HttpApi");

api.AddRoutes(new AddRoutesOptions {
    Integration = new HttpUrlIntegration("BooksIntegration", "https://get-books-proxy.myproxy.internal"),
    Path = "/books",
    Authorizer = authorizer
});

        User Pool Authorizer

        User Pool Authorizer is a type of JWT Authorizer that uses a Cognito user pool and app client to control who can access your Api. After a successful authorization from the app client, the generated access token will be used as the JWT.

        Clients accessing an API that uses a user pool authorizer must first sign in to a user pool and obtain an identity or access token. They must then use this token in the specified identitySource for the API call. More information is available at using Amazon Cognito user pools as authorizer.

        using Amazon.CDK.AWS.Cognito;
using Amazon.CDK.AWS.APIGatewayv2.Authorizers;
using Amazon.CDK.AWS.APIGatewayv2.Integrations;


var userPool = new UserPool(this, "UserPool");

var authorizer = new HttpUserPoolAuthorizer("BooksAuthorizer", userPool);

var api = new HttpApi(this, "HttpApi");

api.AddRoutes(new AddRoutesOptions {
    Integration = new HttpUrlIntegration("BooksIntegration", "https://get-books-proxy.myproxy.internal"),
    Path = "/books",
    Authorizer = authorizer
});

        Lambda Authorizers

        Lambda authorizers use a Lambda function to control access to your HTTP API. When a client calls your API, API Gateway invokes your Lambda function and uses the response to determine whether the client can access your API.

        Lambda authorizers depending on their response, fall into either two types - Simple or IAM. You can learn about differences here.

        using Amazon.CDK.AWS.APIGatewayv2.Authorizers;
using Amazon.CDK.AWS.APIGatewayv2.Integrations;

// This function handles your auth logic
Function authHandler;


var authorizer = new HttpLambdaAuthorizer("BooksAuthorizer", authHandler, new HttpLambdaAuthorizerProps {
    ResponseTypes = new [] { HttpLambdaResponseType.SIMPLE }
});

var api = new HttpApi(this, "HttpApi");

api.AddRoutes(new AddRoutesOptions {
    Integration = new HttpUrlIntegration("BooksIntegration", "https://get-books-proxy.myproxy.internal"),
    Path = "/books",
    Authorizer = authorizer
});

        IAM Authorizers

        API Gateway supports IAM via the included HttpIamAuthorizer and grant syntax:

        using Amazon.CDK.AWS.APIGatewayv2.Authorizers;
using Amazon.CDK.AWS.APIGatewayv2.Integrations;

AnyPrincipal principal;


var authorizer = new HttpIamAuthorizer();

var httpApi = new HttpApi(this, "HttpApi", new HttpApiProps {
    DefaultAuthorizer = authorizer
});

var routes = httpApi.AddRoutes(new AddRoutesOptions {
    Integration = new HttpUrlIntegration("BooksIntegration", "https://get-books-proxy.myproxy.internal"),
    Path = "/books/{book}"
});

routes[0].GrantInvoke(principal);

        WebSocket APIs

        You can set an authorizer to your WebSocket API's $connect route to control access to your API.

        Lambda Authorizer

        Lambda authorizers use a Lambda function to control access to your WebSocket API. When a client connects to your API, API Gateway invokes your Lambda function and uses the response to determine whether the client can access your API.

        using Amazon.CDK.AWS.APIGatewayv2.Authorizers;
using Amazon.CDK.AWS.APIGatewayv2.Integrations;

// This function handles your auth logic
Function authHandler;

// This function handles your WebSocket requests
Function handler;


var authorizer = new WebSocketLambdaAuthorizer("Authorizer", authHandler);

var integration = new WebSocketLambdaIntegration("Integration", handler);

new WebSocketApi(this, "WebSocketApi", new WebSocketApiProps {
    ConnectRouteOptions = new WebSocketRouteOptions {
        Integration = integration,
        Authorizer = authorizer
    }
});

        Classes

        HttpIamAuthorizer

        (experimental) Authorize HTTP API Routes with IAM.
        HttpJwtAuthorizer

        (experimental) Authorize Http Api routes on whether the requester is registered as part of an AWS Cognito user pool.
        HttpJwtAuthorizerProps

        (experimental) Properties to initialize HttpJwtAuthorizer.
        HttpLambdaAuthorizer

        (experimental) Authorize Http Api routes via a lambda function.
        HttpLambdaAuthorizerProps

        (experimental) Properties to initialize HttpTokenAuthorizer.
        HttpLambdaResponseType

        (experimental) Specifies the type responses the lambda returns.
        HttpUserPoolAuthorizer

        (experimental) Authorize Http Api routes on whether the requester is registered as part of an AWS Cognito user pool.
        HttpUserPoolAuthorizerProps

        (experimental) Properties to initialize HttpUserPoolAuthorizer.
        WebSocketLambdaAuthorizer

        (experimental) Authorize WebSocket Api routes via a lambda function.
        WebSocketLambdaAuthorizerProps

        (experimental) Properties to initialize WebSocketTokenAuthorizer.

        Interfaces

        IHttpJwtAuthorizerProps

        (experimental) Properties to initialize HttpJwtAuthorizer.
        IHttpLambdaAuthorizerProps

        (experimental) Properties to initialize HttpTokenAuthorizer.
        IHttpUserPoolAuthorizerProps

        (experimental) Properties to initialize HttpUserPoolAuthorizer.
        IWebSocketLambdaAuthorizerProps

        (experimental) Properties to initialize WebSocketTokenAuthorizer.