Amazon API Gateway supports two types of custom authorizers: Lambda authorizers and HTTP authorizers. Both of these types enable developers to control access to their APIs by using custom logic to authenticate and authorize requests.
Lambda authorizers (previously known as “custom authorizers”) are AWS Lambda functions that provide a flexible way to manage access to your APIs. They allow you to use custom logic to authenticate and authorize API requests. You can use Lambda authorizers with both REST and WebSocket APIs.
When a request is made to your API, the Lambda authorizer function is invoked. This function processes the request’s authorization token (usually an OAuth or JWT token) and returns an IAM policy that either allows or denies access to the API. The IAM policy is then used by API Gateway to authorize the request.
Example:
Suppose you have an API that requires users to be authenticated using JWT tokens. You can create a Lambda authorizer that validates the JWT token and checks if the user has the necessary permissions to access the API.
def lambda_handler(event, context):
token = event['authorizationToken']
# Validate the JWT token and extract claims
claims = validate_jwt(token)
# Check if the user has necessary permissions
if has_permission(claims):
return generate_policy(claims['sub'], 'Allow', event['methodArn'])
else:
return generate_policy(claims['sub'], 'Deny', event['methodArn'])
HTTP authorizers are a newer addition to the API Gateway and offer a way to authorize requests by making an HTTP call to an external service. They work with REST and HTTP APIs, but not with WebSocket APIs.
When a request is made to your API, API Gateway sends an authorization request to the specified HTTP endpoint. The external service processes the request and returns a JSON object that contains an IAM policy and additional context information. API Gateway uses the IAM policy to authorize the request.
Example:
Suppose you have an API that requires users to be authenticated using an external OAuth 2.0 provider. You can create an HTTP authorizer that sends an HTTP request to your OAuth 2.0 provider to validate the access token and check the user’s permissions.
{
"version": "2.0",
"type": "HTTP",
"authorizerUri": "https://your-oauth-provider.com/validate",
"identitySource": ["$request.header.Authorization"]
}
Important Details
- Lambda authorizers offer more flexibility and can be used with REST, HTTP, and WebSocket APIs. HTTP authorizers, on the other hand, only work with REST and HTTP APIs.
- Both Lambda and HTTP authorizers enable you to use custom logic to authorize requests, but Lambda authorizers use an AWS Lambda function, whereas HTTP authorizers rely on an external HTTP service.
- Lambda authorizers may introduce higher latency, as the Lambda function needs to be invoked on each request. HTTP authorizers have the advantage of being able to cache the IAM policies, reducing the number of calls to the external service.
- When using Lambda authorizers, you should be aware of the AWS Lambda service limits, such as concurrent executions and function duration. These limits may impact the performance and availability of your authorizer.