In my project, I have presently a legacy authentication that works in such a way:
- There is a client (standalone) that talks to an
API service which is a custom application running in a container.
- A cloud Identity provider (IdP) is used that supports OAuth with PKCE. It provides its token via usual login process when the user goes to a login page and then gets redirected to a callback.
API service acts as a recipient for the callback. It, therefore, obtains Identity Provider token-1 and stores it in a cache. Based on this it returns to the client a modified token-2 "computed" from token-1 but different.- Once the client needs to make a REST call, it decorates it with the
token-2 JWT token. The call goes to the API service that matches it to token-1 which can be then validated against IdP.
I have a need to get rid of the API service with cloud-native mechanisms. I assume that AWS HTTP API gateway can be integrated with IdP directly using its JWT Authorizer capability. Regretfully I can not affect the current legacy flow that must remain functional.
However, I would like to insert a Lambda between the JWT Authorizer and client endpoints which would be doing the exchange of client-facing tokens to IdP tokens (doing what API service was doing). Would that be possible and how I can approach this?
question from:
https://stackoverflow.com/questions/65832404/replacing-jwt-token-by-another-jwt-token-while-using-an-authorizer-in-http-api-g 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
