Thursday, December 29, 2022

Integration - Lambda, API Gateway, OKTA/oAuth, WAF

WAF


Load Balancer 


OKTA

Lambda


API Gateway

Terraform


Extras















Posted by at No comments:

Thursday, December 8, 2022

API Gateway Configuration with Other services

OKTA and API Gateway Config

1.     Subscribe to Okta and configure a OAuth2 client in Okta.

·       Create Application Okta

o   Create Client ID

o   Create Client Secrets

·       Configure API

o   Create Audience

o   Create Scopes

o   Generate oAuth Token

·       Get token_endpoint

·       Using token_endpoint get access_token

2.     Deploy a sample API Gateway HTTP API with a test endpoint

·       Login in AWS console, select API Gateway

·       Create API

o   Select HTTP API option and click on Build button

o   Enter API Name and hit "Review and create" button and then press create

o   Select Routes under develop option from menu list

·       Select Create button

·       Select method (Get/Put etc)

§  Enter path (like /users or  /pet/{id})

§  Method will be created

·       Select created method

§  Select Attach Authorizer button

·       If any existing authorizer exist select from list

·       If authorizer does not exists

·       Select create and attach authorizer

·       Select Authorizer Type - Select JWT

·       Enter Authorizer name and details (issuer details, Audience, Scope) and save

o   Select Integration

·       Create an integration to attach (configured for this API)

§  Select HTTP URI

·       Select Integration Details

·       Method type, API URL , timeout

§  If Stage exist select deploy

·       Otherwise create stage

§  Select throttling from Protect menu

·       Enter throttling information as needed (route throttling, Account throttling)

§  Select metrices and logging details as needed

§  Select Deploy and select Stage for deployment

o   Under Optimize option

o   Select Cache Setting

·       Enter details for caching related

o   Select stage option

o   Select Setting tab

·       Enable API cache

·       API Gateway is ready for Okta and API Gateway integration based on oAuth Token

 

  • WAF deployed on API Gateway
    1. Select REST API and build
      • Enter setting details (API name and other related details) and create API
      • Under API Resources list, in middle section (resources),
        •  select Action and create method (chose one of the option get, put etc), select tick mark
          • Under Get define Integration type and integration details and save
        • Deploy this API after creating new stage or using existing stage
      • In Middle section Stage be display and right section will have stage editor.
        • Select setting from editor, enable API Cache if needed, Apply client certificate if exist and select existing WebACL or create new
          • Click WebACL, it will open new AWS console
            • Enter all details and select Resource type as regional resource and select region
            • Select Associate AWS resource option
              • It will open new window where you select API Gateway resource type
              • Select API Gateway as resource where you want to deploy WAF, click Add
              • Select next
              • Create new rules or use existing rule and add into this WebACL
              • Select Default web ACL action (Allow or blocks)
              • Add token list to WebACL
              • Click next
                • Select rules priority based on needs
                • Add Cloudwatch Metrics and select next
                • Review all details for WebACL and select Create WebACL
            • Similarly we can select any other resources except NLB (WebACL does not apply to Network Load balancer)
        • Go to API Gateway select API which needs WAF protection
          • Select Stage and select setting
            • Select Web ACL from list and save
    2. This will allow API which goes through API Gateway will be protect through WAF
    3. WAF is deployed on API Gateway for those API which needs to be protect

 

 

 

 

 

 

  

Posted by at No comments:

Thursday, December 1, 2022

AWS API Gateway - OKTA and Auth0

https://us-east-1.console.aws.amazon.com/lambda/home?region=us-east-1#/functions/Lambda2prgram?newFunction=true&tab=configureAWS API Gateway - Okta and Auth0 




  1. The client application will invoke Okta /token endpoint using OAuth2 client_credentials grant to get a JWT access token
  2. Okta will return a JWT access token
  3. Invoke the API configured in AWS API Gateway by passing the Okta JWT token in Authorization header
  4. AWS API gateway’s built-in JWT Authorizer will validate the JWT token by getting the public key from Okta’s jwks_uri. There are some additional validations that are performed. 
  5. Refer https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html
  6. Built-in JWT Authorizer will return the status of token validation to AWS API gateway. This happens in the background.
  7. API gateway will forward the request to target API endpoint if all the validations are successful. If the token is invalid or the required scopes are not present, API gateway will return an error response.
  8. API endpoint will return the response back to API gateway.
  9. API gateway will return the response back to client application.




Reference 
Posted by at No comments:
Subscribe to: Posts (Atom)