rawcoder
asked on
AWS Api Gateway: How to handle authorization, authentication, SSO, etc.
I am reviewing several approaches to re-developing a node.js restful monolithic application using microservices combined with an api gateway. In looking at using the aws api gateway though there seems to be a few items I have not been able to find alot of documentation on. For one, the application I am designing has to be able to support SSO, I would like users to be able to register by either creating a local login or using their current facebook, twitter, etc. social accounts.
How would this process be handled by aws api gateway, especially since I would need to use a custom database to write to and read from, not to mention to authorizing the user?
Additionally, for example, say my microservices has the following bounded contexts:
account(login, registration, profile management),
billing(may not be ideal for serverless due to running time, may opt for docker + ec2),
friend(setting up friend associations),
file(users can upload pictures and videos to their timeline - seems to be another docker + ec2 candidate);
and I want to use an api gateway to secure all of the microservice endpoints except the ones specific to login and registration, how should this be done?
Node.js contains a package that seems to handle jwt and authentication users via facebook, twitter, local, etc. called passport, can I use this with the api gateway authentication?
Also, if the api gateway is securing the microservices, how does the request object and response object get passed between the gateway and the microservices for various requests made?
Additionally, if these items are too involved for aws api gateway and I have to build a custom api gateway and microservices, where the gateway is listening on a different port and contained in a separate docker container how should it regulate permissions for the microservices that are in other docker containers listening on other ports?
In a nutshell, any documentation that really walks through this process and answers the questions that I have listed above will be extremely helpful. Additionally, if I am looking at this the wrong way or asking the wrong kind of questions, advice in that regard would be helpful as well.
How would this process be handled by aws api gateway, especially since I would need to use a custom database to write to and read from, not to mention to authorizing the user?
Additionally, for example, say my microservices has the following bounded contexts:
account(login, registration, profile management),
billing(may not be ideal for serverless due to running time, may opt for docker + ec2),
friend(setting up friend associations),
file(users can upload pictures and videos to their timeline - seems to be another docker + ec2 candidate);
and I want to use an api gateway to secure all of the microservice endpoints except the ones specific to login and registration, how should this be done?
Node.js contains a package that seems to handle jwt and authentication users via facebook, twitter, local, etc. called passport, can I use this with the api gateway authentication?
Also, if the api gateway is securing the microservices, how does the request object and response object get passed between the gateway and the microservices for various requests made?
Additionally, if these items are too involved for aws api gateway and I have to build a custom api gateway and microservices, where the gateway is listening on a different port and contained in a separate docker container how should it regulate permissions for the microservices that are in other docker containers listening on other ports?
In a nutshell, any documentation that really walks through this process and answers the questions that I have listed above will be extremely helpful. Additionally, if I am looking at this the wrong way or asking the wrong kind of questions, advice in that regard would be helpful as well.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
There's a pretty good overview of the flow of the request when using a custom authorizer here:
http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html. Hopefully that should be enough to get you started.